Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
395
Views
0
Helpful
2
Replies

Basic question - Which interfaces to put the crypto map statement on

cybrsage
Level 1
Level 1

‎07-26-2007 06:40 AM - edited ‎03-09-2019 06:28 PM

Here is my scenario:

Site to Site VPN, Cisco 1811 Router to hub site through DSL at the remote (1811) site. Only one VPN from remote site.

When I setup the 1811 Router, which interfaces should I put the crypto map statement onto?

I have the following potential choices:

Ethernet0 (Outside Interface, points to DSL modem which is in bridge mode)

Dialer1 (PPOE in use, obtains live Internet address)

Tunnel100 (connects to the 7204VXR)

Should the crypto map statement go on 1, 2, or all three of them?

Here is part of the config:

vpdn-group dsl

request-dialin

protocol pppoe

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 5

lifetime 7200

crypto isakmp key somekey x.x.x.x

!

crypto ipsec transform-set secure esp-3des esp-md5-hmac

mode transport

!

crypto map vpn 100 ipsec-isakmp

set peer x.x.x.x

set transform-set secure

match address 101

!

interface Tunnel100

ip address x.x.x.x x.x.x.x

ip tcp adjust-mss 1436

tunnel source Dialer1

tunnel destination x.x.x.x

crypto map vpn

!

interface Ethernet0

description ** Outside facing interface **

no ip address

no ip route-cache cef

no ip route-cache

no ip mroute-cache

duplex half

pppoe enable

pppoe-client dial-pool-number 1

arp timeout 300

no cdp enable

crypto map vpn

!

interface Dialer1

ip address negotiated

ip access-group INTERNET_INT_ACL in

ip mtu 1492

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap chap callin

ppp chap hostname name

ppp chap password password

ppp pap sent-username name pasword word

crypto map vpn

I also have the required access-lists.

Thanks for any insights.

Labels:
0 Helpful
2 Replies 2

mattiaseriksson
Level 3
Level 3

‎07-26-2007 04:44 PM

Very interesting question.

Do you want to encrypt the tunnel itself, or just traffic passing through the tunnel?

What I mean is if your access-list matches the gre-packets or some other traffic?

Normally you want to encrypt the gre tunnel and run that inside an ipsec tunnel, so I assume that.

Then my guess is that you have to apply the crypto-map to the dialer and the tunnel interfaces.

But you can also use tunnel-protection with the gre tunnel, it will save you some work and the headache. :-)

Check out IPSec Virtual Tunnel Interface. It is more scalable, especially if you have a hub-spoke scenario.

0 Helpful

cybrsage
Level 1
Level 1
In response to mattiaseriksson

‎07-31-2007 05:03 AM

Thanks!

Yes, my access-list matches the gre packets.

I will look up IPSec Virtual Tunnel Interface. I have hundreds of spokes and only two hubs.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents