×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Crypto Map Priority

Answered Question
Sep 8th, 2014
User Badges:
  • Bronze, 100 points or more

Hi All,

I'm looking to have multiple site to site VPNs hanging off my one Outside Interface.

I understand I can have one crpypto map assigned to the interface.

If I want for example, one of the VPNs to  require PFS, but the other not to - do I just configure a different priority under the Crypto Map? Do the crypro map entries get processed top down until a matching one is found?

 

e.g

 

crypto map CMAP 10 ipsec-isakmp
 set peer x.x.x.x
 set transform-set TSET
 match address ACL1

crypto map CMAP 20 ipsec-isakmp
 set peer y.y.y.y
 set transform-set TSET
 match address ACL2
set pfs group 2

 

Thanks

 

Correct Answer by Karsten Iwen about 2 years 11 months ago

You are right, the crypto map is processed top down. So if your traffic matches ACL2 (and not ACL1!), then all parameters configured under CMAP sequence 20 are relevant to that connection.

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Karsten Iwen Mon, 09/08/2014 - 04:42
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

You are right, the crypto map is processed top down. So if your traffic matches ACL2 (and not ACL1!), then all parameters configured under CMAP sequence 20 are relevant to that connection.

 

Marius Gunnerud Mon, 09/08/2014 - 04:42
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

If I want for example, one of the VPNs to  require PFS, but the other not to - do I just configure a different priority under the Crypto Map? Do the crypro map entries get processed top down until a matching one is found?

That is correct, the cryptomap entries get processed top down (in order of priority).  So if the remote end requires a PFS then it will continue checking the crypto map policies until a match is found, or none match and it will be discarded.

--

Please remember to select a correct answer and rate helpful posts

Karsten Iwen Mon, 09/08/2014 - 12:54
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

This description is not absolutely correct:

If the initiator wants PFS but the responder is configured without, then the connection will work and the responder automatically changes to PFS.

The other way round, the connection will fail if the initiator is configured without PFS but the responder is configured with PFS. But the router will not choose one of the next crypto map sequences.

Marius Gunnerud Tue, 09/09/2014 - 01:24
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

Interesting! Every thing I have read indicates that both sides must be configured equally (including PFS).  I have also tried to get this scenario to work in a lab but as of yet have been unable to get it working.

@Karsten - would you be able to provide a link to documentation that describes this PFS behavior?  I have been unable to find such a document yet.

--

Please remember to select a correct answer and rate helpful posts

Karsten Iwen Tue, 09/09/2014 - 01:33
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

I didn't find that in the documentation and I would consider it as a misconfiguration when configured in a way where it's not matching. I realized that this behavior exists long time ago when troubleshooting a client-setup. There the VPN only worked when initiated from one side and it also was a PFS mismatch. If you don't see this in your lab, I can't rule out that this changed in newer IOS-versions. I think I have to lab that again.

Actions

This Discussion