I have a hub-and-spoke IPSec VPN setup between spoke IOS routers and a PIX 515 as a hub. I have done the config by the book and I have a pretty big config right now. I was wondering if I could streamline the config a bit. I noticed that I have one crypto map with 50 different sequence numbers. All my peers use the ipsec-isakmp and the same transform set. The only difference in each sequence is the peer address and the access-list to match.
I am wondering if I can chop this down to only one crypto map sequence number that has all my peers and one access-list that includes all the peers. This is my idea for the hub PIX:
crypto map mymap 1 ipsec-isakmp
cryptp map mymap 1 set transform-set myset
cryptp map mymap 1 match address 110
cryptp map mymap 1 set peer 188.8.131.52
cryptp map mymap 1 set peer 184.108.40.206
cryptp map mymap 1 set peer 220.127.116.11
access-list 110 permit gre host 10.10.10.10 host 18.104.22.168
access-list 110 permit gre host 10.10.10.10 host 22.214.171.124
access-list 110 permit gre host 10.10.10.10 host 126.96.36.199
Right now, I am doing this with 3 sequence numbers and three access-lists. I just want to be a bit more "elegant" with my PIX config. Will this work?
The config that you have on the pix right now with different sequence numbers with the peer address and access-list is the best method to implement IPSec lan to lan tunnels and the config that you want to implement is a big no no for three different peers.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...