Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
515
Views
0
Helpful
6
Replies

using route maps for crypto maps

tato386
Level 6
Level 6

‎04-26-2003 12:47 PM - edited ‎03-09-2019 03:03 AM

I have two possible next hops for a remote network. I need to use IPSec if using one and not the other. I figured I could use a route map like this:

access-list 20 permit 192.168.2.2

access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

!

route-map mymap permit 10

match ip address 120

match ip next-hop 20

!

However, when I do this my crypto map says that it is incomplete:

!

crypto map vpnmap 1 ipsec-isakmp

! Incomplete

set peer 1.1.1.1

set transform-set vpnset

match address mymap

!

Is this not possible? I am running 12.2(4) IOS.

Thanks,

Diego

Labels:
0 Helpful
6 Replies 6

gfullage
Cisco Employee
Cisco Employee

‎04-27-2003 10:14 PM

It's not possible like you have it here, since your crypto map is expecting to use an ACL called mymap, and that doesn't exist. The route-map "mymap" doesn't get referenced by the crypto map just because it has the same name.

You're not going to be able to do this on this one router if both the next-hops to this remote network are out the same interface.

If they're out different interfaces, then make your crypto map reference the access-list, and only apply that crypto map to the one outbound interface, it'll then work just like a standard VPN.

If both next-hops are out the same interface, there's no way you can tell the router to encrypt the traffic if it's going to one particular next-hop and not the other. You're better off doing just the policy routing on this router, remove the crypto stuff all together, then put the crypto map config on the one next-hop router, that way if the packet's sent to that router it'll be encrypted by that router, if it's sent to the other one it won't be encrypted.

0 Helpful

tato386
Level 6
Level 6
In response to gfullage

‎04-28-2003 01:42 PM

You bring up an interesting point here. Lets say that I apply a crypto map to an interface that is going to redirect the packets to another router that is available on the same segment as the original router interface. In other words, the packet will not exit via an interface on the router that receives that packet. Will the first router encrypt the packet then forward the packet? The destination router is not IPSec capable, but I want the packets to be encrypted by the first router. How can I accomplish this?

Thanks,

Diego

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to tato386

‎04-28-2003 04:22 PM

IPSec doesn't work like that though, both ends need to be IPSec capable and have already built a tunnel between them before any packets will be encrypted. If no tunnel exists, then packets won't be encrypted, simple as that. For a tunnel to exist, both ends need to be IPSec capable and be configured appropriately.

There's no way to just have one router encrypt packets and forward them on without having some other device ready to accept them and decrypt them. Sorry.

0 Helpful

tato386
Level 6
Level 6
In response to gfullage

‎04-28-2003 06:06 PM

I think that you misunderstood my question. I realize that their needs to be two routers running IPSec to create a tunnel, and there is. However, in order for IPSec router A to get to IPSec router B there are several routers in the middle. In my case it just so happens that the first hop in the path to IPSec router B is via a router that sits on the same segment as the interface that receives the packet that need to be encrypted and sent on its way to IPSec router B. My worry is that since the packets do not go "thru" the router, that is, in one interface and out another, the encryption won't happen. In my case, I have a router with and interface that has an IP of 10.0.0.1/24 and a crypto map applied. The crypto map says that the encrypted packets need to be sent to router 192.168.1.1. The first hop on the way to 192.168.1.1 is via 10.0.0.2. Will the first router encrypt and then forward to 10.0.0.2?

Diego

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to tato386

‎04-28-2003 08:29 PM

OK sorry about that.

Sounds like you simply want to configure one-armed tunnelling, where the unencrypted packet comes in on the same interface that it needs to go out on, the same interface that the crypto map is applied to.

If so, then yes this works, but you need to make sure your routing is set up correctly. For example, all the hosts need to have a route to the remote network that points to 10.0.0.1. This router then needs a route to the remote network that points to 10.0.0.2. You need to turn off ICMP redirects on this interface so the router doesn't send an ICMP redirect to all the hosts telling them to send further packets straight to 10.0.0.2. Use the "no ip redirects" command on the interface for this.

Other than that, it should work fine, just watch your routing and you should be OK.

0 Helpful

tato386
Level 6
Level 6
In response to gfullage

‎04-29-2003 05:04 AM

Got it.

I was missing the "no ip redirects". I was using the "no ip proxy-arp" cuz I knew I needed something like that but wasn't sure exactly what.

Thanks,

Diego

0 Helpful
Customers Also Viewed These Support Documents