Multiple crypto maps on a 3825 router interface

Discussion in 'Cisco' started by ttripp@magnoliamanor.com, Feb 8, 2007.

  1. Guest

    Here's my problem. I used to have two routers connect via T1. To
    back up the T1, I had a tunnel running between the two routers on
    their Internet-facing ethernet ports. This worked fine; if the T1
    went down, traffic automatically routed across the tunnel, and the two
    sites stayed connected.

    Recent I added a third site, with a T1 between it and my first site.
    I wanted to create a backup tunnel, just like I did before, but now I
    learn that the ethernet port on my first site's router can only be
    configured with a single tunnel (using the crypto map command). So
    apparently I can have only one tunnel assigned to this interface.

    What to do? Can I use subinterfaces on my first site's Internet-
    facing ethernet port? If I do that, that's really going to screw up
    my IP addressing scheme. Or is there a way to assign two crypto maps
    to a router's interface, and I just don't know what it is?

    Thanks.
    , Feb 8, 2007
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    >Recent I added a third site, with a T1 between it and my first site.
    >I wanted to create a backup tunnel, just like I did before, but now I
    >learn that the ethernet port on my first site's router can only be
    >configured with a single tunnel (using the crypto map command).


    >Or is there a way to assign two crypto maps
    >to a router's interface, and I just don't know what it is?


    I don't know if the 3825 has any particular crypto restrictions,
    but generally speaking you can only have one crypto map per interface
    under IOS. You can, however, have different policy number groupings
    for the crypto map, and the different policy number groups can
    establish different attributes. For example (using PIX notation)

    crypto map vpn-map 1100 ipsec-isakmp
    crypto map vpn-map 1100 match address VPN_calgary1_acl
    crypto map vpn-map 1100 set peer ibdcalpixX
    crypto map vpn-map 1100 set transform-set vca-ea256s vpn-3-transform vc-ea256s vpn-3nat-transform vpn-transform vpn-nat-transform
    crypto map vpn-map 1200 ipsec-isakmp
    crypto map vpn-map 1200 match address VPN_calgary2_acl
    crypto map vpn-map 1200 set peer calessopixX
    crypto map vpn-map 1200 set transform-set vca-ea256s vc-ea256s vpn-3-transform vpn-3nat-transform vpn-transform vpn-nat-transform

    This configures for two tunnels on the same interface, one with
    peer ibdcalpixX and the other with peer calessopixX . I could have
    used different transform sets for the two if I had reason to; and
    you can see that I used different ACLs ('match address') to define
    the traffic for each one.
    Walter Roberson, Feb 8, 2007
    #2
    1. Advertising

  3. Guest

    On 8 Feb, 17:44, (Walter Roberson) wrote:
    > In article <>,
    >
    > <> wrote:
    > >Recent I added a third site, with a T1 between it and my first site.
    > >I wanted to create a backup tunnel, just like I did before, but now I
    > >learn that the ethernet port on my first site's router can only be
    > >configured with a single tunnel (using the crypto map command).
    > >Or is there a way to assign two crypto maps
    > >to a router's interface, and I just don't know what it is?

    >
    > I don't know if the 3825 has any particular crypto restrictions,
    > but generally speaking you can only have one crypto map per interface
    > under IOS. You can, however, have different policy number groupings
    > for the crypto map, and the different policy number groups can
    > establish different attributes. For example (using PIX notation)
    >
    > crypto map vpn-map 1100 ipsec-isakmp
    > crypto map vpn-map 1100 match address VPN_calgary1_acl
    > crypto map vpn-map 1100 set peer ibdcalpixX
    > crypto map vpn-map 1100 set transform-set vca-ea256s vpn-3-transform vc-ea256s vpn-3nat-transform vpn-transform vpn-nat-transform
    > crypto map vpn-map 1200 ipsec-isakmp
    > crypto map vpn-map 1200 match address VPN_calgary2_acl
    > crypto map vpn-map 1200 set peer calessopixX
    > crypto map vpn-map 1200 set transform-set vca-ea256s vc-ea256s vpn-3-transform vpn-3nat-transform vpn-transform vpn-nat-transform
    >
    > This configures for two tunnels on the same interface, one with
    > peer ibdcalpixX and the other with peer calessopixX . I could have
    > used different transform sets for the two if I had reason to; and
    > you can see that I used different ACLs ('match address') to define
    > the traffic for each one.


    IOS like this:- Router tries 100, 200,201 in order for each
    request.

    crypto map CrM.fred 100 ipsec-isakmp
    set peer x.x.x.2
    set transform-set TS.3des
    match address 155
    qos pre-classify

    crypto map CrM.fred 200 ipsec-isakmp
    set peer y.y.y.3
    set transform-set TS.3des
    match address ACL.CM.1

    crypto map CrM.fred 201 ipsec-isakmp
    .......
    , Feb 9, 2007
    #3
  4. Darren Green Guest

    "Walter Roberson" <> wrote in message
    news:CjJyh.913570$R63.899541@pd7urf1no...
    > In article <>,
    > <> wrote:
    >>Recent I added a third site, with a T1 between it and my first site.
    >>I wanted to create a backup tunnel, just like I did before, but now I
    >>learn that the ethernet port on my first site's router can only be
    >>configured with a single tunnel (using the crypto map command).

    >
    >>Or is there a way to assign two crypto maps
    >>to a router's interface, and I just don't know what it is?

    >
    > I don't know if the 3825 has any particular crypto restrictions,
    > but generally speaking you can only have one crypto map per interface
    > under IOS. You can, however, have different policy number groupings
    > for the crypto map, and the different policy number groups can
    > establish different attributes. For example (using PIX notation)
    >
    > crypto map vpn-map 1100 ipsec-isakmp
    > crypto map vpn-map 1100 match address VPN_calgary1_acl
    > crypto map vpn-map 1100 set peer ibdcalpixX
    > crypto map vpn-map 1100 set transform-set vca-ea256s vpn-3-transform
    > vc-ea256s vpn-3nat-transform vpn-transform vpn-nat-transform
    > crypto map vpn-map 1200 ipsec-isakmp
    > crypto map vpn-map 1200 match address VPN_calgary2_acl
    > crypto map vpn-map 1200 set peer calessopixX
    > crypto map vpn-map 1200 set transform-set vca-ea256s vc-ea256s
    > vpn-3-transform vpn-3nat-transform vpn-transform vpn-nat-transform
    >
    > This configures for two tunnels on the same interface, one with
    > peer ibdcalpixX and the other with peer calessopixX . I could have
    > used different transform sets for the two if I had reason to; and
    > you can see that I used different ACLs ('match address') to define
    > the traffic for each one.


    Just out of interest, would it not also be possible to achieve the above in
    the following ways:

    1) Use a DMVPN and have point to multipoint on each of the remote routers
    Ethernet ports as a backup. This would offer encryption and allow you to
    terminate multiple tunnels.

    2) Use multiple point to point GRE tunnels with IPSEC between the Ethernet
    ports of the above routers.

    Regards

    Darren
    Darren Green, Feb 10, 2007
    #4
  5. Guest

    On 10 Feb, 10:28, "Darren Green"
    <> wrote:
    > "Walter Roberson" <> wrote in message
    >
    > news:CjJyh.913570$R63.899541@pd7urf1no...
    >
    >
    >
    >
    >
    > > In article <>,
    > > <> wrote:
    > >>Recent I added a third site, with a T1 between it and my first site.
    > >>I wanted to create a backup tunnel, just like I did before, but now I
    > >>learn that the ethernet port on my first site's router can only be
    > >>configured with a single tunnel (using the crypto map command).

    >
    > >>Or is there a way to assign two crypto maps
    > >>to a router's interface, and I just don't know what it is?

    >
    > > I don't know if the 3825 has any particular crypto restrictions,
    > > but generally speaking you can only have one crypto map per interface
    > > under IOS. You can, however, have different policy number groupings
    > > for the crypto map, and the different policy number groups can
    > > establish different attributes. For example (using PIX notation)

    >
    > > crypto map vpn-map 1100 ipsec-isakmp
    > > crypto map vpn-map 1100 match address VPN_calgary1_acl
    > > crypto map vpn-map 1100 set peer ibdcalpixX
    > > crypto map vpn-map 1100 set transform-set vca-ea256s vpn-3-transform
    > > vc-ea256s vpn-3nat-transform vpn-transform vpn-nat-transform
    > > crypto map vpn-map 1200 ipsec-isakmp
    > > crypto map vpn-map 1200 match address VPN_calgary2_acl
    > > crypto map vpn-map 1200 set peer calessopixX
    > > crypto map vpn-map 1200 set transform-set vca-ea256s vc-ea256s
    > > vpn-3-transform vpn-3nat-transform vpn-transform vpn-nat-transform

    >
    > > This configures for two tunnels on the same interface, one with
    > > peer ibdcalpixX and the other with peer calessopixX . I could have
    > > used different transform sets for the two if I had reason to; and
    > > you can see that I used different ACLs ('match address') to define
    > > the traffic for each one.

    >
    > Just out of interest, would it not also be possible to achieve the above in
    > the following ways:
    >
    > 1) Use a DMVPN and have point to multipoint on each of the remote routers
    > Ethernet ports as a backup. This would offer encryption and allow you to
    > terminate multiple tunnels.

    Don't know but seems feasible.

    >
    > 2) Use multiple point to point GRE tunnels with IPSEC between the Ethernet
    > ports of the above routers.

    Yes.

    Done a few of these now and it's very nice.
    Not for the beginner though I wouldn't think
    since it is quite hard to get your
    head around at first and some care has to be taken.
    You want to be sure where the GRE packets
    are actually being routed. i.e not down the
    tunnel, not down the other tunnel, anywhere
    else you don't want them to go.
    , Feb 10, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tical
    Replies:
    2
    Views:
    3,081
    tical
    Dec 2, 2003
  2. B.T.
    Replies:
    1
    Views:
    8,942
    Walter Roberson
    Oct 19, 2004
  3. Dan Lanciani

    tunnels and crypto maps

    Dan Lanciani, Mar 20, 2006, in forum: Cisco
    Replies:
    0
    Views:
    7,465
    Dan Lanciani
    Mar 20, 2006
  4. Pondlife
    Replies:
    0
    Views:
    572
    Pondlife
    Apr 28, 2008
  5. GT
    Replies:
    2
    Views:
    652
Loading...

Share This Page