Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

crypto map set peer

I am trying to setup vpn access for some external users. I am new to this and am a bit confused on the crypto map 'name' set peer command. What is the peer? Is this the remote user coming in? If so how would I specify a subnet rather than an individual IP?

Louanne Fournier

New Member

Re: crypto map set peer

To Provide VPN Access for exxternal Clients, you should normally use the "Dynamic-Maps" instead of Static . "set peer" is used for Static maps in which you know the ip addresses for the remote end, which won't be possible in your scenario.

Try this link for setting this up

Regards \\ Naman

New Member

Re: crypto map set peer

Hi Louanne,

A peer is the end-point of a VPN secure connection. It could be a router or a pix. There are 2 things that needs to be clarified about. First, you can use Dynamic crypto maps when you don't know the peer ip address of a mobile user but the mobile peer knows its peer ip address. This happens when you an HQ site end router is tryping to establish a VPN with a mobile user.

The second thing is, if you want to a set of external hosts (all in the same subnet) to establish a VPN to your site, then put them behind a PIX or a high end router like 72xx and initiate a VPN connection from the PIX/72xx to your site.

Note that in both cases, your site end router/pix should use dynamic crypto map and the external hosts (who can mobile i.e., they can have different ip address at different times)should use static crypto map. If the external host(s) is/are static with a constant global ip address, then use a static crypto map.

Let me know if you need a sample scenario and config.


New Member

Re: crypto map set peer

I would love a sample scenario using the dynamic crypto map. I have one configured for my mobile users. I am a newbie and haven't gotten to the docs yet on the dynamic setup so that would be wonderful.


Louanne Fournier

New Member

Re: crypto map set peer

Here is a sample config with the following functionality

1. PIX terminating IPSec Tunnels from Remote PIX\IOS (Static Maps).

2. PIX terminating External User connections (Dynamic Maps) using Cisco VPN Clients and also using Windows IAS for X-Auth.

3. PIX terminating External User connections using Micorsoft VPN Clients (PPTP).

Below is the relevant parts of the config


--------------------IP Address Pool for External VPN Clients-------------

ip local pool vpn-pool

--------VPN Traffic should not go through NAT--------

access-list nonat permit ip object-group sb-vpn-subnets

nat (inside) 0 access-list nonat

-------RADIUS Server for X-Auth and for PPTP Clients Authentication------

aaa-server internal-radius protocol radius

aaa-server internal-radius (inside) host Alpha xxxxxxx timeout 10

--------Allow established IPSec and PPTP traffic to Bypass the outside ACL-----

sysopt connection permit-ipsec

sysopt connection permit-pptp

-----------------Transform sets to be used be with Static and Dynamic Maps--

crypto ipsec transform-set des esp-des esp-md5-hmac

crypto ipsec transform-set 3des esp-3des esp-md5-hmac

crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac

crypto ipsec transform-set des-sha esp-des esp-sha-hmac

---------Dynamic Maps for Cisco VPN Clients----------

crypto dynamic-map vpnclients 1 set transform-set des

crypto dynamic-map vpnclients 2 set transform-set 3des

---------Static Maps for IPSec Tunnels with other PIX\IOS-------

crypto map vpnmap 1 ipsec-isakmp

crypto map vpnmap 1 match address fr-vpn

crypto map vpnmap 1 set peer fr-firewall

crypto map vpnmap 1 set transform-set des

crypto map vpnmap 10 ipsec-isakmp dynamic vpnclients

crypto map vpnmap client authentication internal-radius

crypto map vpnmap interface outside

isakmp enable outside

-----Pre-Shared Key for IPSec Tunnels with other PIX\IOS---

isakmp key xxxxxxxxx address fr-firewall netmask no-xauth no-config-mode

-------------ISAKMP Policies--------------

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption 3des

isakmp policy 2 hash sha

isakmp policy 2 group 2

isakmp policy 2 lifetime 86400

-----------Needed for VPN Clients-------------

isakmp policy 3 authentication pre-share

isakmp policy 3 encryption des

isakmp policy 3 hash md5

isakmp policy 3 group 2

isakmp policy 3 lifetime 86400

isakmp policy 4 authentication pre-share

isakmp policy 4 encryption 3des

isakmp policy 4 hash md5

isakmp policy 4 group 2

isakmp policy 4 lifetime 86400

------------------VPN group Cofniguration for Cisco VPN Clients--------

vpngroup yyy address-pool vpn-pool

vpngroup yyy dns-server Alpha Beta

vpngroup yyy wins-server Alpha Beta

vpngroup yyy default-domain aaaa.bbb

vpngroup yyy split-tunnel nonat

vpngroup yyy idle-time 1800

vpngroup yyy password xxxxx

--------------Configuration for Microsoft PPTP Clients---------

vpdn group pptp accept dialin pptp

vpdn group pptp ppp authentication mschap

vpdn group pptp ppp encryption mppe 128

vpdn group pptp client configuration address local vpn-pool

vpdn group pptp client configuration dns Alpha Beta

vpdn group pptp client configuration wins Alpha Beta

vpdn group pptp client authentication aaa internal-radius

vpdn group pptp pptp echo 60

vpdn enable outside