Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

MULTIPLE CRYPTO MAP

I would like to have two crypto map to one interface. Is that possible?

Example

crypto map mymap 1000 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication LOCAL

crypto map mymap interface outside

crypto map map_london 20 ipsec-isakmp

crypto map map_london 20 match address acl_london

crypto map map_london 20 set pfs group2

crypto map map_london 20 set peer aa.bb.cc.dd

crypto map map_london interface outside

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: MULTIPLE CRYPTO MAP

you can only bind one crypto map to an interface. you can have many tunnels on the same crypto map ( dynamic maps inluded ) by creating a new policy number.

For example

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer x.x.x.x

crypto map outside_map 20 set transform-set AWU_Transform

crypto map outside_map 40 ipsec-isakmp

crypto map outside_map 40 match address outside_cryptomap_40

crypto map outside_map 40 set pfs group2

crypto map outside_map 40 set peer y.y.y.y

crypto map outside_map 40 set transform-set AWU_Transform

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

I hope it helps .. please rate it if it does !!!

Gold

Re: MULTIPLE CRYPTO MAP

Here's an example, the reason I've got two statements for crypto ACL is so that it doesn't cause problems with PDM. AS PDM don't like same statement in two placeS within the configuration.

access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list 100 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list 200 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list 300 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list 400 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

nat (inside) 0 access-list nonat

sysopt connection permit-ipsec

crypto ipsec transform-set TEST esp-3des esp-md5-hmac

crypto map MYMAP 10 ipsec-isakmp

crypto map MYMAP 10 match address 100

crypto map MYMAP 10 set peer x.x.x.x

crypto map MYMAP 10 set transform-set TEST

crypto map MYMAP 20 ipsec-isakmp

crypto map MYMAP 20 match address 200

crypto map MYMAP 20 set peer x.x.x.x

crypto map MYMAP 20 set transform-set TEST

crypto map MYMAP 30 ipsec-isakmp

crypto map MYMAP 30 match address 300

crypto map MYMAP 30 set peer x.x.x.x

crypto map MYMAP 30 set transform-set TEST

crypto map MYMAP 40 ipsec-isakmp

crypto map MYMAP 40 match address 400

crypto map MYMAP 40 set peer x.x.x.x

crypto map MYMAP 40 set transform-set TEST

crypto map MYMAP interface outside

isakmp enable outside

isakmp key xxxxxxxx address x.x.x.x netmask 255.255.255.255

isakmp key xxxxxxxx address x.x.x.x netmask 255.255.255.255

isakmp key xxxxxxxx address x.x.x.x netmask 255.255.255.255

isakmp key xxxxxxxx address x.x.x.x netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

Hope this helps, please rate post if it does.

Jay

6 REPLIES
Gold

Re: MULTIPLE CRYPTO MAP

YES!

New Member

Re: MULTIPLE CRYPTO MAP

How do I do it?

Re: MULTIPLE CRYPTO MAP

you can only bind one crypto map to an interface. you can have many tunnels on the same crypto map ( dynamic maps inluded ) by creating a new policy number.

For example

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer x.x.x.x

crypto map outside_map 20 set transform-set AWU_Transform

crypto map outside_map 40 ipsec-isakmp

crypto map outside_map 40 match address outside_cryptomap_40

crypto map outside_map 40 set pfs group2

crypto map outside_map 40 set peer y.y.y.y

crypto map outside_map 40 set transform-set AWU_Transform

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

I hope it helps .. please rate it if it does !!!

Gold

Re: MULTIPLE CRYPTO MAP

Here's an example, the reason I've got two statements for crypto ACL is so that it doesn't cause problems with PDM. AS PDM don't like same statement in two placeS within the configuration.

access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list 100 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list 200 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list 300 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list 400 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

nat (inside) 0 access-list nonat

sysopt connection permit-ipsec

crypto ipsec transform-set TEST esp-3des esp-md5-hmac

crypto map MYMAP 10 ipsec-isakmp

crypto map MYMAP 10 match address 100

crypto map MYMAP 10 set peer x.x.x.x

crypto map MYMAP 10 set transform-set TEST

crypto map MYMAP 20 ipsec-isakmp

crypto map MYMAP 20 match address 200

crypto map MYMAP 20 set peer x.x.x.x

crypto map MYMAP 20 set transform-set TEST

crypto map MYMAP 30 ipsec-isakmp

crypto map MYMAP 30 match address 300

crypto map MYMAP 30 set peer x.x.x.x

crypto map MYMAP 30 set transform-set TEST

crypto map MYMAP 40 ipsec-isakmp

crypto map MYMAP 40 match address 400

crypto map MYMAP 40 set peer x.x.x.x

crypto map MYMAP 40 set transform-set TEST

crypto map MYMAP interface outside

isakmp enable outside

isakmp key xxxxxxxx address x.x.x.x netmask 255.255.255.255

isakmp key xxxxxxxx address x.x.x.x netmask 255.255.255.255

isakmp key xxxxxxxx address x.x.x.x netmask 255.255.255.255

isakmp key xxxxxxxx address x.x.x.x netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

Hope this helps, please rate post if it does.

Jay

Re: MULTIPLE CRYPTO MAP

please advice what are you trying to achieve ..

New Member

Re: MULTIPLE CRYPTO MAP

I was trying to connect multiple VPN clients with dyn-map and a VPN-point-to-point, everthing on the same interface. Thanks all of you for your help.

Regards,

Eduardo

571
Views
0
Helpful
6
Replies