02-23-2009 08:40 AM
Hi,
My current config is between 2 876 routers that connect with a GRE IPsec tunnel. I need to add a 3rd router in the setup and my question is the following:
1. From inside the crypto map can I set a second peer or is it better to create a copy of my current crypto map with a different sequence number and define there the second peer?
i.e. my current config is
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to x2
set peer x2
set transform-set ESP-3DES-SHA
match address 100
In the first case I simply add a second peer inside the crypto map.
In the second case i create the same crypto map with sequence number 10 as shown below
crypto map SDM_CMAP_1 10 ipsec-isakmp
description Tunnel to x3
set peer x3
set transform-set ESP-3DES-SHA
match address 100
Many thanks
themis
02-23-2009 10:27 AM
Themis
It depends on what you want to achieve.
If you only want the 3rd router to be used as a backup in case of failure then add it as a second peer inside the crypto map because only one peer will be used at any one time.
If you want to have tunnels between all 3 routers up and running at same time then you need a separate crypto map entry.
Jon
02-23-2009 11:27 AM
Hi John,
Question. I use the same crypto map name, i.e. SDM_CMAP_1 for my new router, correct?
Also i create a new tunnel, i add an extra ip route for the new peer and i add a isakamp key for that peer, right?
Anything else?
many thanks,
themis
02-23-2009 12:11 PM
"Question. I use the same crypto map name, i.e. SDM_CMAP_1 for my new router, correct?"
If you mean on your existing device then yes you have to because you can only apply one crypto map to an interface so as you say you just need to use another index number.
if you mean on the new router then call it what you like altho to standardise it would be a good idea to use the same naming system.
"Also i create a new tunnel, i add an extra ip route for the new peer and i add a isakamp key for that peer, right?"
Pretty much. You will need another crypto map access-list to define the remote and local subnets.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: