Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
495
Views
0
Helpful
1
Replies

One crypto map, different tunnel source addresses (secondary)

wojciechowczarek
Level 1
Level 1

‎02-29-2008 10:19 AM - edited ‎03-09-2019 08:13 PM

Hi,

I have two devices with two different (public) IP addresses (Cisco 2811 and Cisco 851), which both host some IPSec tunnels (IPSec/ESP/Tunnel mode). I want to move the 851's configuration to the 2811, and remove the 851 from the network. There is a crypto map assigned to the main outside interface of the 2811 with a few entries. The problem is that I cannot change any of the tunnel TEPs, so the IP address of the 851 must be moved onto the 2811 (as a secondary address). Is there anything I can do to use the secondary address as an IPSec tunnel source? Or do I have to do it using NAT and loopback interfaces?

Labels:
0 Helpful
1 Reply 1

sadbulali
Level 4
Level 4

‎03-06-2008 12:09 PM

Source IP addresses for IKE for exchanges leaving out of the same physical interface, ie:

crypto map to-peer_a 10 ipsec-isakmp

set peer 10.1.3.1

set local-address loopback1 <-- new command

match address 100

crypto map to-peer_a 20 ipsec-isakmp

set peer 10.1.3.2

set local-address loopback2 <-- new command

match address 101

Current code allows to specify a local-address for each crypto map only, and not on a per crypto map instance, as suggested above.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents