Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IOS VPN Tunnel - Answer Only?

Hello!

We are moving from an ASA to IOS routers for our site to site VPN tunnels.  On the ASA we have several tunnels set up as "Answer-Only".   How do I configure this same setting on the IOS router?  It isn't jumping out at me as an option in the crypto map.

Thanks!

- Dave

5 REPLIES
Cisco Employee

IOS VPN Tunnel - Answer Only?

Dave,

This is after a long day in the office where I can barely see but I do believe the only option like this is in IPsec profile:

R1(config)#crypto ipsec profile PRO

R1(ipsec-profile)#?

Crypto Map configuration commands:

  default         Set a command to its defaults

  description     Description of the crypto map statement policy

  dialer          Dialer related commands

  exit            Exit from crypto map configuration mode

  no              Negate a command or set its defaults

  redundancy      Configure HA for this ipsec profile

  responder-only  Do not initiate SAs from this device

Marcin

New Member

IOS VPN Tunnel - Answer Only?

Thanks for the reply Marcin!

How do I apply a crypto ipsec profile to a static VPN?

I know you can configure VTI interfaces that use profiles, but my understanding is that both sides would have to use VTI interfaces, whereas we have a variety of customers using "tradition" IPSEC on a variety of devices.

- Dave

Cisco Employee

IOS VPN Tunnel - Answer Only?

Dave,

You're right the functionality would affected only solutions based on tunnel protection (GRE over IPsec or VTI).

Which is basically what we enourage people to run (i.e. VTIs, DMVPN, Flex).

I'll do some checking tomorrow, but from the top of my head at 11:30 PM there's nothing.

Marcin

Cisco Employee

IOS VPN Tunnel - Answer Only?

Dave,

After a few hours of sleep, here's an idea.

To implement answer-only-like functionality, you can use a dynamic crypto map entry (no set peer entry) matching access-list for that traffic + setting transform set.

(If you run ezvpn on same box with crypto maps remember to add a very generic entry with high number in crypto map.

Essentially (not syntax checked)

crypto dynamic-map DYN 10 ipsec-isakmp

set transform MYSET_FOR_L2L

match TRAFFIC_FOR_L2L

crypto dynamic-map DYN 65000 ipsec-isakmp

set transform SET_FOR_EZVPN

Would that work for you?

Marcin

New Member

IOS VPN Tunnel - Answer Only?

Thanks for thinking outside the box Marcin!  That may work, but I don't think I want to "cludge" up the config of our head end router with a dynamic crypto map just to implement this one feature.  I was hoping the feature was available in static crypto maps - like the ASA.

963
Views
0
Helpful
5
Replies
CreatePlease to create content