Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using Crypto Maps and IPsec Static VTI's on the same router

Is it possible to configure both crypto maps and IPsec static VTI's on the same router? What platforms have this capability? What IOS version do I need?

New Member

Re: Using Crypto Maps and IPsec Static VTI's on the same router

Yes you can and as far as I know I dont think there is a hardware dependency.

VTI mode 'tunnel mode ipsec ipv4' was added in 12.3(14)T.

If you are mixing tunnel protection and crypto map ensure you use iskmp profiles to differentiate somehow that the tunnel IPSec connection is not prcessed on the crypto map!

Here is a rough example (fine tune it as needed):

crypto keyring key1

  pre-shared-key address key test123

crypto keyring key2

  pre-shared-key address key test777

crypto isakmp profile vpn1

   keyring key1

   match identity address

crypto isakmp profile vpn2

   keyring key2

   match identity address

crypto ipsec transform-set test esp-des esp-sha-hmac

crypto IPsec profile vpn-tunnel

set transform-set test

set isakmp-profile vpn1

crypto map mymap 1 ipsec-isakmp

set transform-set test

set peer

set isakmp-profile vpn2

match address 177

interface Tunnel0

ip address

tunnel source

tunnel destination

tunnel mode ipsec ipv4

tunnel protection ipsec profile vpn-tunnel

interface Ethernet4

ip add

crypto map mymap


Самое главное отличие будет в

Самое главное отличие будет в том, что на удаленных устройствах в этом случае б в самом crypto-acl будут лишь два адреса, зеркальные адресам, указанным как tunnel source и tunnel destination на 2921. По идее, больше никаких изменений.

CreatePlease to create content