Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Bronze

Crypto Map Priority

Hi All,

I'm looking to have multiple site to site VPNs hanging off my one Outside Interface.

I understand I can have one crpypto map assigned to the interface.

If I want for example, one of the VPNs to  require PFS, but the other not to - do I just configure a different priority under the Crypto Map? Do the crypro map entries get processed top down until a matching one is found?

 

e.g

 

crypto map CMAP 10 ipsec-isakmp
 set peer x.x.x.x
 set transform-set TSET
 match address ACL1

crypto map CMAP 20 ipsec-isakmp
 set peer y.y.y.y
 set transform-set TSET
 match address ACL2
set pfs group 2

 

Thanks

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

You are right, the crypto map

You are right, the crypto map is processed top down. So if your traffic matches ACL2 (and not ACL1!), then all parameters configured under CMAP sequence 20 are relevant to that connection.

 

5 REPLIES
VIP Purple

You are right, the crypto map

You are right, the crypto map is processed top down. So if your traffic matches ACL2 (and not ACL1!), then all parameters configured under CMAP sequence 20 are relevant to that connection.

 

If I want for example, one of

If I want for example, one of the VPNs to  require PFS, but the other not to - do I just configure a different priority under the Crypto Map? Do the crypro map entries get processed top down until a matching one is found?

That is correct, the cryptomap entries get processed top down (in order of priority).  So if the remote end requires a PFS then it will continue checking the crypto map policies until a match is found, or none match and it will be discarded.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
VIP Purple

This description is not

This description is not absolutely correct:

If the initiator wants PFS but the responder is configured without, then the connection will work and the responder automatically changes to PFS.

The other way round, the connection will fail if the initiator is configured without PFS but the responder is configured with PFS. But the router will not choose one of the next crypto map sequences.

Interesting! Every thing I

Interesting! Every thing I have read indicates that both sides must be configured equally (including PFS).  I have also tried to get this scenario to work in a lab but as of yet have been unable to get it working.

@Karsten - would you be able to provide a link to documentation that describes this PFS behavior?  I have been unable to find such a document yet.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
VIP Purple

I didn't find that in the

I didn't find that in the documentation and I would consider it as a misconfiguration when configured in a way where it's not matching. I realized that this behavior exists long time ago when troubleshooting a client-setup. There the VPN only worked when initiated from one side and it also was a PFS mismatch. If you don't see this in your lab, I can't rule out that this changed in newer IOS-versions. I think I have to lab that again.

239
Views
5
Helpful
5
Replies
CreatePlease to create content