IPsec configuration

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Hi there !

I have a working VPN setup (between a router and a PIX) based on crypto
maps. For education's sake, I tried to replace the crypto map ny a tunnel
interface on the router. Basically, it looks like this:


crypto map fw 101 ipsec-isakmp
  set peer X
  set transform-set vpn
  match address 101

has been changed to

crypto ipsec profile vpn
  set transform-set vpn
interface Tunnel1
  no ip address
  tunnel source FastEthernet0
  tunnel destination X
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile vpn


The ISAKMP part is left unchanged, the relevant parameters look comparable.
I'm aware that a route to the remote network is missing to make things work
but the problem is that the tunnel doesn't come up (see "show ip int
brief") so that the route is ignored.

What I'm wondering now is whether crypto maps and tunnel interfaces are
just different notations for the same thing (which would make them
interchangeable) or if they are completely different from each other. IOW:
can I use tunnel interfaces with a PIX or just with another tunnel
interface at the remote end?

TIA

    fw

Re: IPsec configuration
Frank Winkler wrote:
Quoted text here. Click to load it
The Virtual Tunnel Interface and the crypto map are not interchangeable.

Re: IPsec configuration
Joe Beasley wrote:

  >The Virtual Tunnel Interface and the crypto map are not interchangeable.

I see - and wh not? What's the technical difference?

Regards

    fw

Site Timeline