crypto map applied to sub interface = partial encryption

Unanswered Question
Sep 12th, 2013
User Badges:

I have a router on a stick configuration.

With sub interface .1 and .2

I have applied the crypto map to sub interface.2

When I ping across the tunnel replies from the .1 sub interface are encrypted.

But any traffic received from the vlan connected to the sub interface .1 appears to bypass the crypto map and goes across the wan in clear.

FYI main interface is a port channel connect to a stacked switch.

Thanks

Sent from Cisco Technical Support iPad App

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Lei Tian Thu, 09/12/2013 - 20:05
User Badges:
  • Cisco Employee,

Hi,

This does seem to be right. What software version are you running on the router? Can you also post the config from the router?

HTH,
Lei Tian

Sent from Cisco Technical Support iPhone App

martinbuffleo Mon, 09/16/2013 - 05:17
User Badges:

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp policy 3

encr 3des

hash md5

authentication pre-share

group 2

lifetime 3600

crypto isakmp key password address 0.0.0.0

!

!

crypto ipsec transform-set SAL esp-aes 256 esp-md5-hmac

mode tunnel

!

!

!

crypto map VPN 10 ipsec-isakmp

set peer PeerIP

set security-association lifetime seconds 28800

set security-association idle-time 86400

set transform-set SAL

match address 105

!

!

!

!

!

interface Port-channel1

no ip address

hold-queue 150 in

!

interface Port-channel1.69

encapsulation dot1Q 69

ip address IPaddrs.2 255.255.255.0

no ip proxy-arp

standby 1 ip IPaddrs.1

standby 1 timers 1 4

standby 1 priority 105

standby 1 name VLAN69

crypto map VPN redundancy VLAN69

!

interface Port-channel1.70

encapsulation dot1Q 70

ip address otherNet.2 255.255.255.0

no ip proxy-arp

standby 1 ip otherNet.1

standby 1 timers 1 4

standby 1 priority 105


access-list 105 permit ip otherNet.0 0.0.0.255 Branch.0 0.0.0.255

martinbuffleo Mon, 09/16/2013 - 23:09
User Badges:

Cancel that

Turns out my 3rd party VPN device althought it claims to packet capture its wan interface. It doesn't.

Note to self always use span ports or a hub.

Sent from Cisco Technical Support iPhone App

Actions

This Discussion