Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2727
Views
5
Helpful
5
Replies

Crypto Map Priority

Go to solution
GRANT3779
Spotlight
Spotlight

‎09-08-2014 04:15 AM

Hi All,

I'm looking to have multiple site to site VPNs hanging off my one Outside Interface.

I understand I can have one crpypto map assigned to the interface.

If I want for example, one of the VPNs to  require PFS, but the other not to - do I just configure a different priority under the Crypto Map? Do the crypro map entries get processed top down until a matching one is found?

 

e.g

 

crypto map CMAP 10 ipsec-isakmp
 set peer x.x.x.x
 set transform-set TSET
 match address ACL1

crypto map CMAP 20 ipsec-isakmp
 set peer y.y.y.y
 set transform-set TSET
 match address ACL2
set pfs group 2

 

Thanks

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎09-08-2014 04:42 AM

You are right, the crypto map is processed top down. So if your traffic matches ACL2 (and not ACL1!), then all parameters configured under CMAP sequence 20 are relevant to that connection.

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Karsten Iwen
VIP
VIP

‎09-08-2014 04:42 AM

You are right, the crypto map is processed top down. So if your traffic matches ACL2 (and not ACL1!), then all parameters configured under CMAP sequence 20 are relevant to that connection.

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎09-08-2014 04:42 AM

If I want for example, one of the VPNs to  require PFS, but the other not to - do I just configure a different priority under the Crypto Map? Do the crypro map entries get processed top down until a matching one is found?

That is correct, the cryptomap entries get processed top down (in order of priority).  So if the remote end requires a PFS then it will continue checking the crypto map policies until a match is found, or none match and it will be discarded.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Go to solution
Karsten Iwen
VIP
VIP
In response to Marius Gunnerud

‎09-08-2014 12:54 PM

This description is not absolutely correct:

If the initiator wants PFS but the responder is configured without, then the connection will work and the responder automatically changes to PFS.

The other way round, the connection will fail if the initiator is configured without PFS but the responder is configured with PFS. But the router will not choose one of the next crypto map sequences.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Karsten Iwen

‎09-09-2014 01:24 AM

Interesting! Every thing I have read indicates that both sides must be configured equally (including PFS).  I have also tried to get this scenario to work in a lab but as of yet have been unable to get it working.

@Karsten - would you be able to provide a link to documentation that describes this PFS behavior?  I have been unable to find such a document yet.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Marius Gunnerud

‎09-09-2014 01:33 AM

I didn't find that in the documentation and I would consider it as a misconfiguration when configured in a way where it's not matching. I realized that this behavior exists long time ago when troubleshooting a client-setup. There the VPN only worked when initiated from one side and it also was a PFS mismatch. If you don't see this in your lab, I can't rule out that this changed in newer IOS-versions. I think I have to lab that again.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents