cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
727
Views
0
Helpful
5
Replies

2x ISR 2811s and VPN Concentrator L2L

Ruterford
Level 1
Level 1

Hi All,

I have a setup with 2x ISR 2811s in the central site acting as static crypto map VPN peers and I have a single site with VPN Concentrator 3000.

The thing is that I cannot setup backup peer on VPN Concentrator unless I set it to originate-only.

Originate-only is fine, works for me, but answer-only is not available on 2811s for static crypto-map configurations. Cisco says this is irrelevant for static crypto-maps and applicable for the VTI only. So I ended up configuring VPN Concentrator as originate-only with two peers, the tunnel is up now, but I am just curios if there could be any potential issue with rekeying or someting else because ISR 2811s cannot maintain answer-only. Again if VPN Concentrator side is the intiator-only in terms of crypto-interesting traffic - this is ok for me.

5 Replies 5

Marcin Latosiewicz
Cisco Employee
Cisco Employee

We had similar discussion some time ago with another person on forum.

If you want equivalent of answer-only on IOS with crypto maps, you should use dynamic crypto map entry with match ACL specified.

The reponsder only functionality is relevant only for tunnel protection setups only.

I have two routers in the setup. the tunnel is ok now when vpn concentrator is set to originate-only.

My question is if  it will be working normally in case if one side is set to originate-only and the other one is bidirectional assuming that in any scenario only one side would initiate traffic.

Provided that only one router will talk IPsec at a time, you should be fine.

Just make sure your vpn concentrator has a decent version software version :-)

Nope. Not working when one side (VPN Concentrator) is set to originate-only and the opposite side is bi-directional (IOS).

This is really awkward that IOS cannot do answer-only in static crypto map.

Can I post somehow feature request, I beleive not only me needs this feature on the IOS...

Well we typically use dynamic crypto maps when they are supposed to be answer only ;-)

Another things is that we're trying to move people towards using tunnel protection instead of crypto maps.

That being, yes you can, the best way is to get your account team involved they can file PER (Product Enhancement Request) for you and raise a business case.

TAC can also file enhancements but without a business case coming from account team they are very low on priority list. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: