Can Dynamic crypto map coexist with static crypto map on one router?

Unanswered Question
Apr 19th, 2010

Hello all,

I have an 1841 router that we've been using as our L2L VPN hub at our main office.  All of our home office users have L2L IPSec VPNs that terminate on that router.  Currently, they all have various broadband connections with static IP addresses and 870 series routers at their homes.

I have one user who cannot get a static IP address, so I am wondering, can I add a dynamic crypto map to this router without affecting the existing static ones?

Relevant parts of the 1841 config:

!
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
crypto isakmp key ** address 206.63.229.131
crypto isakmp key ** address 66.172.116.112
crypto isakmp key ** address 69.29.0.109
crypto isakmp key ** address 65.100.40.114
crypto isakmp key ** address 71.216.20.130
crypto isakmp key ** address 173.10.126.198
crypto isakmp key ** address 72.88.94.7
!
!
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
!
crypto map chris-vpn 5 ipsec-isakmp
description Tunnel to cnc.chris.877
set peer 206.63.229.131
set transform-set ESP-AES-MD5
match address Chris-IPSec
crypto map chris-vpn 6 ipsec-isakmp
description Tunnel to cnc.lance.871
set peer 66.172.116.112
set transform-set ESP-AES-MD5
match address Lance-IPSec
crypto map chris-vpn 7 ipsec-isakmp
description Tunnel to cnc.scott.877
set peer 69.29.0.109
set transform-set ESP-AES-MD5
match address Scott-IPSec
crypto map chris-vpn 8 ipsec-isakmp
description Tunnel to Katy's Office
set peer 65.100.40.114
set transform-set ESP-AES-MD5
match address Katy-IPSec
crypto map chris-vpn 9 ipsec-isakmp
description Tunnel to Vicci's Office
set peer 71.216.20.130
set transform-set ESP-AES-MD5
match address Vicci-IPSec
crypto map chris-vpn 10 ipsec-isakmp
description Tunnel to Dan's Office
set peer 173.10.126.198
set transform-set ESP-AES-MD5
match address Dan-IPSec
crypto map chris-vpn 11 ipsec-isakmp
description Tunnel to cnc.charlene.871 (Charlene's Home)
set peer 72.88.94.7
set transform-set ESP-AES-MD5
match address Charlene-IPSec
!
!
!
interface FastEthernet0/0
ip address 67.90.225.227 255.255.255.224
ip access-group sdm_fastethernet0/0_in in
duplex auto
speed auto
crypto map chris-vpn
!
interface FastEthernet0/1
ip address 10.99.1.1 255.255.255.252
speed 100
full-duplex

!

I've been looking at the crypto dynamic-map command, but I had thought you could apply only one map to an interface, and I only have one outside ethernet interface.

Is that possible?

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Federico Coto F... Mon, 04/19/2010 - 08:58

Hi,

Sure is possible.

For example, your crypto map name is chris-vpn

Then, you create a dynamic crypto map and bind it to the static crypto map.


This dynamic crypto map should have a transform-set and the tunnel can only be established from the dynamic side.

Federico.

olighec Mon, 04/19/2010 - 09:07

Great!

So, I can just create another map entry such as

crypto dynamic-map chris-vpn 12 ipsec-isakmp

set transform-set whatever

match address whatever

and leave the set peer line out since I won't know who it is until the remote router tries to establish the connection?

Thanks!

Federico Coto F... Mon, 04/19/2010 - 09:22

Exactly,

And the command:

crypto dynamic-map chris-vpn 100 ipsec-isakmp chris-vpn

Binds the dynamic crypto map to the static crypto map.

Federico.

encredes1 Wed, 07/22/2015 - 12:59

Hi.

How can I bind the dynamic crypto map to the static crypto map?

I am using the command crypto dynamic-map chris-vpn 100 ipsec-isakmp chris-vpn " but this command is only allowed to crypto dynamic-map chris-vpn 100. I using 1841 router.

 

Thanks!.

 

Actions

This Discussion