Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

2x ISR 2811s and VPN Concentrator L2L

Hi All,

I have a setup with 2x ISR 2811s in the central site acting as static crypto map VPN peers and I have a single site with VPN Concentrator 3000.

The thing is that I cannot setup backup peer on VPN Concentrator unless I set it to originate-only.

Originate-only is fine, works for me, but answer-only is not available on 2811s for static crypto-map configurations. Cisco says this is irrelevant for static crypto-maps and applicable for the VTI only. So I ended up configuring VPN Concentrator as originate-only with two peers, the tunnel is up now, but I am just curios if there could be any potential issue with rekeying or someting else because ISR 2811s cannot maintain answer-only. Again if VPN Concentrator side is the intiator-only in terms of crypto-interesting traffic - this is ok for me.

  • VPN
5 REPLIES
Cisco Employee

2x ISR 2811s and VPN Concentrator L2L

We had similar discussion some time ago with another person on forum.

If you want equivalent of answer-only on IOS with crypto maps, you should use dynamic crypto map entry with match ACL specified.

The reponsder only functionality is relevant only for tunnel protection setups only.

New Member

2x ISR 2811s and VPN Concentrator L2L

I have two routers in the setup. the tunnel is ok now when vpn concentrator is set to originate-only.

My question is if  it will be working normally in case if one side is set to originate-only and the other one is bidirectional assuming that in any scenario only one side would initiate traffic.

Cisco Employee

2x ISR 2811s and VPN Concentrator L2L

Provided that only one router will talk IPsec at a time, you should be fine.

Just make sure your vpn concentrator has a decent version software version :-)

New Member

2x ISR 2811s and VPN Concentrator L2L

Nope. Not working when one side (VPN Concentrator) is set to originate-only and the opposite side is bi-directional (IOS).

This is really awkward that IOS cannot do answer-only in static crypto map.

Can I post somehow feature request, I beleive not only me needs this feature on the IOS...

Cisco Employee

2x ISR 2811s and VPN Concentrator L2L

Well we typically use dynamic crypto maps when they are supposed to be answer only ;-)

Another things is that we're trying to move people towards using tunnel protection instead of crypto maps.

That being, yes you can, the best way is to get your account team involved they can file PER (Product Enhancement Request) for you and raise a business case.

TAC can also file enhancements but without a business case coming from account team they are very low on priority list. 

442
Views
0
Helpful
5
Replies
This widget could not be displayed.