Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Multiple crypto maps on a 3825 router interface

Reply
Thread Tools

Multiple crypto maps on a 3825 router interface

 
 
ttripp@magnoliamanor.com
Guest
Posts: n/a
 
      02-08-2007
Here's my problem. I used to have two routers connect via T1. To
back up the T1, I had a tunnel running between the two routers on
their Internet-facing ethernet ports. This worked fine; if the T1
went down, traffic automatically routed across the tunnel, and the two
sites stayed connected.

Recent I added a third site, with a T1 between it and my first site.
I wanted to create a backup tunnel, just like I did before, but now I
learn that the ethernet port on my first site's router can only be
configured with a single tunnel (using the crypto map command). So
apparently I can have only one tunnel assigned to this interface.

What to do? Can I use subinterfaces on my first site's Internet-
facing ethernet port? If I do that, that's really going to screw up
my IP addressing scheme. Or is there a way to assign two crypto maps
to a router's interface, and I just don't know what it is?

Thanks.

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      02-08-2007
In article <(E-Mail Removed). com>,
http://www.velocityreviews.com/forums/(E-Mail Removed) <(E-Mail Removed)> wrote:
>Recent I added a third site, with a T1 between it and my first site.
>I wanted to create a backup tunnel, just like I did before, but now I
>learn that the ethernet port on my first site's router can only be
>configured with a single tunnel (using the crypto map command).


>Or is there a way to assign two crypto maps
>to a router's interface, and I just don't know what it is?


I don't know if the 3825 has any particular crypto restrictions,
but generally speaking you can only have one crypto map per interface
under IOS. You can, however, have different policy number groupings
for the crypto map, and the different policy number groups can
establish different attributes. For example (using PIX notation)

crypto map vpn-map 1100 ipsec-isakmp
crypto map vpn-map 1100 match address VPN_calgary1_acl
crypto map vpn-map 1100 set peer ibdcalpixX
crypto map vpn-map 1100 set transform-set vca-ea256s vpn-3-transform vc-ea256s vpn-3nat-transform vpn-transform vpn-nat-transform
crypto map vpn-map 1200 ipsec-isakmp
crypto map vpn-map 1200 match address VPN_calgary2_acl
crypto map vpn-map 1200 set peer calessopixX
crypto map vpn-map 1200 set transform-set vca-ea256s vc-ea256s vpn-3-transform vpn-3nat-transform vpn-transform vpn-nat-transform

This configures for two tunnels on the same interface, one with
peer ibdcalpixX and the other with peer calessopixX . I could have
used different transform sets for the two if I had reason to; and
you can see that I used different ACLs ('match address') to define
the traffic for each one.
 
Reply With Quote
 
 
 
 
Bod43@hotmail.co.uk
Guest
Posts: n/a
 
      02-09-2007
On 8 Feb, 17:44, (E-Mail Removed) (Walter Roberson) wrote:
> In article <(E-Mail Removed). com>,
>
> (E-Mail Removed) <(E-Mail Removed)> wrote:
> >Recent I added a third site, with a T1 between it and my first site.
> >I wanted to create a backup tunnel, just like I did before, but now I
> >learn that the ethernet port on my first site's router can only be
> >configured with a single tunnel (using the crypto map command).
> >Or is there a way to assign two crypto maps
> >to a router's interface, and I just don't know what it is?

>
> I don't know if the 3825 has any particular crypto restrictions,
> but generally speaking you can only have one crypto map per interface
> under IOS. You can, however, have different policy number groupings
> for the crypto map, and the different policy number groups can
> establish different attributes. For example (using PIX notation)
>
> crypto map vpn-map 1100 ipsec-isakmp
> crypto map vpn-map 1100 match address VPN_calgary1_acl
> crypto map vpn-map 1100 set peer ibdcalpixX
> crypto map vpn-map 1100 set transform-set vca-ea256s vpn-3-transform vc-ea256s vpn-3nat-transform vpn-transform vpn-nat-transform
> crypto map vpn-map 1200 ipsec-isakmp
> crypto map vpn-map 1200 match address VPN_calgary2_acl
> crypto map vpn-map 1200 set peer calessopixX
> crypto map vpn-map 1200 set transform-set vca-ea256s vc-ea256s vpn-3-transform vpn-3nat-transform vpn-transform vpn-nat-transform
>
> This configures for two tunnels on the same interface, one with
> peer ibdcalpixX and the other with peer calessopixX . I could have
> used different transform sets for the two if I had reason to; and
> you can see that I used different ACLs ('match address') to define
> the traffic for each one.


IOS like this:- Router tries 100, 200,201 in order for each
request.

crypto map CrM.fred 100 ipsec-isakmp
set peer x.x.x.2
set transform-set TS.3des
match address 155
qos pre-classify

crypto map CrM.fred 200 ipsec-isakmp
set peer y.y.y.3
set transform-set TS.3des
match address ACL.CM.1

crypto map CrM.fred 201 ipsec-isakmp
.......




 
Reply With Quote
 
Darren Green
Guest
Posts: n/a
 
      02-10-2007

"Walter Roberson" <(E-Mail Removed)> wrote in message
news:CjJyh.913570$R63.899541@pd7urf1no...
> In article <(E-Mail Removed). com>,
> (E-Mail Removed) <(E-Mail Removed)> wrote:
>>Recent I added a third site, with a T1 between it and my first site.
>>I wanted to create a backup tunnel, just like I did before, but now I
>>learn that the ethernet port on my first site's router can only be
>>configured with a single tunnel (using the crypto map command).

>
>>Or is there a way to assign two crypto maps
>>to a router's interface, and I just don't know what it is?

>
> I don't know if the 3825 has any particular crypto restrictions,
> but generally speaking you can only have one crypto map per interface
> under IOS. You can, however, have different policy number groupings
> for the crypto map, and the different policy number groups can
> establish different attributes. For example (using PIX notation)
>
> crypto map vpn-map 1100 ipsec-isakmp
> crypto map vpn-map 1100 match address VPN_calgary1_acl
> crypto map vpn-map 1100 set peer ibdcalpixX
> crypto map vpn-map 1100 set transform-set vca-ea256s vpn-3-transform
> vc-ea256s vpn-3nat-transform vpn-transform vpn-nat-transform
> crypto map vpn-map 1200 ipsec-isakmp
> crypto map vpn-map 1200 match address VPN_calgary2_acl
> crypto map vpn-map 1200 set peer calessopixX
> crypto map vpn-map 1200 set transform-set vca-ea256s vc-ea256s
> vpn-3-transform vpn-3nat-transform vpn-transform vpn-nat-transform
>
> This configures for two tunnels on the same interface, one with
> peer ibdcalpixX and the other with peer calessopixX . I could have
> used different transform sets for the two if I had reason to; and
> you can see that I used different ACLs ('match address') to define
> the traffic for each one.


Just out of interest, would it not also be possible to achieve the above in
the following ways:

1) Use a DMVPN and have point to multipoint on each of the remote routers
Ethernet ports as a backup. This would offer encryption and allow you to
terminate multiple tunnels.

2) Use multiple point to point GRE tunnels with IPSEC between the Ethernet
ports of the above routers.

Regards

Darren


 
Reply With Quote
 
Bod43@hotmail.co.uk
Guest
Posts: n/a
 
      02-10-2007
On 10 Feb, 10:28, "Darren Green"
<(E-Mail Removed)> wrote:
> "Walter Roberson" <(E-Mail Removed)> wrote in message
>
> news:CjJyh.913570$R63.899541@pd7urf1no...
>
>
>
>
>
> > In article <(E-Mail Removed). com>,
> > (E-Mail Removed) <(E-Mail Removed)> wrote:
> >>Recent I added a third site, with a T1 between it and my first site.
> >>I wanted to create a backup tunnel, just like I did before, but now I
> >>learn that the ethernet port on my first site's router can only be
> >>configured with a single tunnel (using the crypto map command).

>
> >>Or is there a way to assign two crypto maps
> >>to a router's interface, and I just don't know what it is?

>
> > I don't know if the 3825 has any particular crypto restrictions,
> > but generally speaking you can only have one crypto map per interface
> > under IOS. You can, however, have different policy number groupings
> > for the crypto map, and the different policy number groups can
> > establish different attributes. For example (using PIX notation)

>
> > crypto map vpn-map 1100 ipsec-isakmp
> > crypto map vpn-map 1100 match address VPN_calgary1_acl
> > crypto map vpn-map 1100 set peer ibdcalpixX
> > crypto map vpn-map 1100 set transform-set vca-ea256s vpn-3-transform
> > vc-ea256s vpn-3nat-transform vpn-transform vpn-nat-transform
> > crypto map vpn-map 1200 ipsec-isakmp
> > crypto map vpn-map 1200 match address VPN_calgary2_acl
> > crypto map vpn-map 1200 set peer calessopixX
> > crypto map vpn-map 1200 set transform-set vca-ea256s vc-ea256s
> > vpn-3-transform vpn-3nat-transform vpn-transform vpn-nat-transform

>
> > This configures for two tunnels on the same interface, one with
> > peer ibdcalpixX and the other with peer calessopixX . I could have
> > used different transform sets for the two if I had reason to; and
> > you can see that I used different ACLs ('match address') to define
> > the traffic for each one.

>
> Just out of interest, would it not also be possible to achieve the above in
> the following ways:
>
> 1) Use a DMVPN and have point to multipoint on each of the remote routers
> Ethernet ports as a backup. This would offer encryption and allow you to
> terminate multiple tunnels.

Don't know but seems feasible.

>
> 2) Use multiple point to point GRE tunnels with IPSEC between the Ethernet
> ports of the above routers.

Yes.

Done a few of these now and it's very nice.
Not for the beginner though I wouldn't think
since it is quite hard to get your
head around at first and some care has to be taken.
You want to be sure where the GRE packets
are actually being routed. i.e not down the
tunnel, not down the other tunnel, anywhere
else you don't want them to go.



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
3825 e0 interface mmark751969 Cisco 3 04-29-2009 10:47 PM
Cisco 3825 Dial-in router with Digital modem card MattG Cisco 0 07-17-2007 01:35 PM
Setting up a router with 29 Global IPs, BUT can't ping router internal interface from server or server interface from router war_wheelan@yahoo.com Cisco 1 12-14-2005 03:31 PM
several crypto maps for one interface, is it possible? B.T. Cisco 1 10-19-2004 08:00 PM
multiple crypto maps on cisco pix tical Cisco 2 12-02-2003 05:56 PM



Advertisments