Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Several crypto maps for one interface


I have problem with set up several crypto maps one interface. When I run just one VPN tunnel it work, but if I add second it don't work.

How can I correct this?

crypto isakmp policy 1

encryption 3des

hash sha

authentication pre-share

group 2

lifetime 86400


crypto isakmp key ABC address IP_1

crypto isakmp key CBA address IP_N


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


crypto map VPN 1 ipsec-isakmp

match address 101

set transform-set ESP-3DES-SHA

set peer IP_1


crypto map VPN n ipsec-isakmp

match address 10n

set transform-set ESP-3DES-SHA

set peer IP_N


interface GigabitEthernet0/0

crypto map VPN

ip access-grup FIREWALL in


ip route IP_1

ip route IP_N

access-list 101 permit ip

access-list 10n permit ip


ip access-list extented NAT

deny ip

deny ip

permit ip any

deny ip any any


ip access-list extended FIREWALL

permit tcp any any established

permit icmp any any

permit udp any IP eq non500-isakmp

permit udp any eq non500-isakmp any

permit udp any IP eq isakmp

permit udp any eq isakmp any

permit esp any IP

permit tcp


Several crypto maps for one interface


In this case it shows you have a single crypto map, but multiple crypto map instances.

You can only have a single crypto map applied to an interface (in this case VPN), but you can have as many instances as you need (these are crypto map 1, 2, 3, ...n)

Check the ´´sh cry isa sa´´ for the establishment of both tunnels (phase 1), and ´´´sh cry ipsec sa´´for phase 2.

I assume the second tunnel is the one not working? What if you change priorities? I mean the number for the instance on the crypto map. The crypto maps are checked by the device in order of priority starting 1 and following...

Hope it helps.


Re: Several crypto maps for one interface

Take that firewall acl off the external interface and see if it works.

Sent from Cisco Technical Support iPad App

CreatePlease login to create content