Limitation in crypto map regarding "set peer x.x.x.x"

lmoushouras · ‎10-14-2003

Hello,

I am using ios 12.2.10b in Cisco router 7206VXR

I noticed that in the same <crypto map "name" 1 ipsec-isakmp>.I can install only 40 peers but I need 160 peers.Is there any limitation in IOS version?

Regards

gfullage · ‎10-14-2003

40 peers is the max you cna have. Are you sure you really want 160 backup peers, that doesn't sound right?

I think what you want is 160 peer routers catering for 160 sets of encrypted traffic. By putting all your peer routers under the "1" instance you saying that the second is only ever used if the first is down, the third is only ever used if the first and second are down, and so on. Is this what you want?

Or do you want to encrypt traffic from A to B to peer 1, traffic from A to C to peer 2, traffic from A to D to peer 3, etc. If so then you need to do it like this (note the different instances of the same crypto map, each pointing to a different peer with a different access-list):

crypto map 1 ipsec-isakmp

set peer 1.1.1.1

match address 100

set transform-set esp3des

crypto map 2 ipsec-isakmp

set peer 2.2.2.2

match address 101

set transform-set esp3des

crypto map 3 ipsec-isakmp

set peer 3.3.3.3

match address 102

set transform-set esp3des

......

access-list 100 permit ip

access-list 101 permit ip

access-list 102 permit ip

......

lmoushouras · ‎10-14-2003

Thanks for your answer.

Yes this is what i want.

But I have noticed that if i configure 40 peers in the same crypto map they do not actually treat as backup routers but all peers can be active.so it is more quickly one crypto map with alot of peers than 160 crypto maps with different sequence number.

Thanks in advance