Using Crypto Maps and IPsec Static VTI's on the same router

Unanswered Question
Aug 24th, 2010

Is it possible to configure both crypto maps and IPsec static VTI's on the same router? What platforms have this capability? What IOS version do I need?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
uwkleinh Tue, 08/24/2010 - 15:02

Yes you can and as far as I know I dont think there is a hardware dependency.

VTI mode 'tunnel mode ipsec ipv4' was added in 12.3(14)T.

If you are mixing tunnel protection and crypto map ensure you use iskmp profiles to differentiate somehow that the tunnel IPSec connection is not prcessed on the crypto map!

Here is a rough example (fine tune it as needed):

crypto keyring key1

  pre-shared-key address key test123

crypto keyring key2

  pre-shared-key address key test777

crypto isakmp profile vpn1

   keyring key1

   match identity address

crypto isakmp profile vpn2

   keyring key2

   match identity address

crypto ipsec transform-set test esp-des esp-sha-hmac

crypto IPsec profile vpn-tunnel

set transform-set test

set isakmp-profile vpn1

crypto map mymap 1 ipsec-isakmp

set transform-set test

set peer

set isakmp-profile vpn2

match address 177

interface Tunnel0

ip address

tunnel source

tunnel destination

tunnel mode ipsec ipv4

tunnel protection ipsec profile vpn-tunnel

interface Ethernet4

ip add

crypto map mymap


Eugene Khabarov Tue, 03/24/2015 - 01:23

Самое главное отличие будет в том, что на удаленных устройствах в этом случае б в самом crypto-acl будут лишь два адреса, зеркальные адресам, указанным как tunnel source и tunnel destination на 2921. По идее, больше никаких изменений.


This Discussion