Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
959
Views
10
Helpful
5
Replies

IPSec over dot1q logical interface

Go to solution
siong
Level 1
Level 1

‎04-05-2006 12:45 AM - edited ‎02-21-2020 02:21 PM

Can we create a IPSec tunnel over dot1q logical interface?

I have managed to create IPSec tunnel on a FastEthernet interface, but when I moved it to a logical dot1q interface, the IPSec tunnel breaks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
m.sir
Level 7
Level 7

‎04-06-2006 03:47 AM

When using crypto maps on logical interfaces, the map

must be applied to both the physical and logical interfaces

M.

Hope that helps, rate if it does

View solution in original post

0 Helpful
5 Replies 5

Go to solution
m.sir
Level 7
Level 7

‎04-06-2006 03:47 AM

When using crypto maps on logical interfaces, the map

must be applied to both the physical and logical interfaces

M.

Hope that helps, rate if it does

0 Helpful

Go to solution
siong
Level 1
Level 1
In response to m.sir

‎04-07-2006 01:34 AM

Thanks for the tip. I missed out applying the crypto map on the physical interface.

One more question :-

The initial objective of trunking the FE interface was to create different crypto map for each logical interface.

If we need to apply crypto map to both logical & physical for IPSec to work, this will limit us to use only one crypto map. Since IOS cannot support more than one crypto map per interface.

Any workaround for this to achieve the objective? Thanks.

--

siong

0 Helpful

Go to solution
attrgautam
Level 5
Level 5
In response to siong

‎04-07-2006 01:48 AM

I wonder if it is an IOS image. I have implemented crypto maps over logical subinterfaces without configuring crypto maps over the main interfaces. It works fine and there have been no issues. What code are you running on your boxes ?

Go to solution
sunilc
Level 1
Level 1
In response to siong

‎04-09-2006 02:39 PM

Hi Siong,

When using crymap on dot1q subintf, there is no need to apply crymap on the physical intf.

You can apply different crymaps on different subintf's.

int g0/1

no ip addr

int g0/1.100

encap dot1q 100

ip addr 100.1.1.1

cry map cmap1

int g0/1.200

encap dot1q 200

ip addr 200.1.1.1

cry map cmap2

-Sunil.

Go to solution
siong
Level 1
Level 1
In response to sunilc

‎04-09-2006 10:18 PM

Hi attrgautam & sunilc,

You guys are right.

I went back cleared all configuration and started everything from scratch.

The IPSec works on a logical dot1q interface without the need to apply the crypto map on the related phyiscal interface. I tried them out on 12.2.19 and 12.2.39 codes.

I must have done something wrong earlier on the crypto map. Thanks guys for pointing it out.

--

siong

0 Helpful
Customers Also Viewed These Support Documents