Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

One crypto map, different tunnel source addresses (secondary)


I have two devices with two different (public) IP addresses (Cisco 2811 and Cisco 851), which both host some IPSec tunnels (IPSec/ESP/Tunnel mode). I want to move the 851's configuration to the 2811, and remove the 851 from the network. There is a crypto map assigned to the main outside interface of the 2811 with a few entries. The problem is that I cannot change any of the tunnel TEPs, so the IP address of the 851 must be moved onto the 2811 (as a secondary address). Is there anything I can do to use the secondary address as an IPSec tunnel source? Or do I have to do it using NAT and loopback interfaces?

  • Other Security Subjects
New Member

Re: One crypto map, different tunnel source addresses (secondary

Source IP addresses for IKE for exchanges leaving out of the same physical interface, ie:

crypto map to-peer_a 10 ipsec-isakmp

set peer

set local-address loopback1 <-- new command

match address 100

crypto map to-peer_a 20 ipsec-isakmp

set peer

set local-address loopback2 <-- new command

match address 101

Current code allows to specify a local-address for each crypto map only, and not on a per crypto map instance, as suggested above.

This widget could not be displayed.