Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Several crypto maps for one interface

Hi,

I have problem with set up several crypto maps one interface. When I run just one VPN tunnel it work, but if I add second it don't work.

How can I correct this?

crypto isakmp policy 1

encryption 3des

hash sha

authentication pre-share

group 2

lifetime 86400

!

crypto isakmp key ABC address IP_1

crypto isakmp key CBA address IP_N

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map VPN 1 ipsec-isakmp

match address 101

set transform-set ESP-3DES-SHA

set peer IP_1

!

crypto map VPN n ipsec-isakmp

match address 10n

set transform-set ESP-3DES-SHA

set peer IP_N

!

interface GigabitEthernet0/0

crypto map VPN

ip access-grup FIREWALL in

!

ip route 10.0.0.0 255.255.255.0 IP_1

ip route 192.168.100.0 255.255.255.0 IP_N

access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 10n permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255

!

ip access-list extented NAT

deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

deny ip any any

!

ip access-list extended FIREWALL

permit tcp any any established

permit icmp any any

permit udp any IP eq non500-isakmp

permit udp any eq non500-isakmp any

permit udp any IP eq isakmp

permit udp any eq isakmp any

permit esp any IP

permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

2 REPLIES

Several crypto maps for one interface

Hi,

In this case it shows you have a single crypto map, but multiple crypto map instances.

You can only have a single crypto map applied to an interface (in this case VPN), but you can have as many instances as you need (these are crypto map 1, 2, 3, ...n)

Check the ´´sh cry isa sa´´ for the establishment of both tunnels (phase 1), and ´´´sh cry ipsec sa´´for phase 2.

I assume the second tunnel is the one not working? What if you change priorities? I mean the number for the instance on the crypto map. The crypto maps are checked by the device in order of priority starting 1 and following...

Hope it helps.

Federico.

Re: Several crypto maps for one interface

Take that firewall acl off the external interface and see if it works.

Sent from Cisco Technical Support iPad App

534
Views
0
Helpful
2
Replies
CreatePlease login to create content