12-16-2002 12:29 PM - edited 02-21-2020 12:14 PM
I have a hub-and-spoke IPSec VPN setup between spoke IOS routers and a PIX 515 as a hub. I have done the config by the book and I have a pretty big config right now. I was wondering if I could streamline the config a bit. I noticed that I have one crypto map with 50 different sequence numbers. All my peers use the ipsec-isakmp and the same transform set. The only difference in each sequence is the peer address and the access-list to match.
I am wondering if I can chop this down to only one crypto map sequence number that has all my peers and one access-list that includes all the peers. This is my idea for the hub PIX:
crypto map mymap 1 ipsec-isakmp
cryptp map mymap 1 set transform-set myset
cryptp map mymap 1 match address 110
cryptp map mymap 1 set peer 1.1.1.1
cryptp map mymap 1 set peer 2.2.2.2
cryptp map mymap 1 set peer 3.3.3.3
access-list 110 permit gre host 10.10.10.10 host 1.1.1.1
access-list 110 permit gre host 10.10.10.10 host 2.2.2.2
access-list 110 permit gre host 10.10.10.10 host 3.3.3.3
Right now, I am doing this with 3 sequence numbers and three access-lists. I just want to be a bit more "elegant" with my PIX config. Will this work?
Thanks,
Diego
12-16-2002 12:41 PM
Hi Diego,
The config that you have on the pix right now with different sequence numbers with the peer address and access-list is the best method to implement IPSec lan to lan tunnels and the config that you want to implement is a big no no for three different peers.
Regards,
Arul
12-26-2002 08:07 AM
Diego,
You could configure it as a dynamic VPN, therfore eliminating all the crytpomaps. However, this would then allow anyone to connect via VPN IF THEY KNOW your IP, and you key.
Dan
12-26-2002 11:00 AM
Thanks for the info. I have been considering using dyn VPN.
Diego
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: