Multiple crypto maps on a 3825 router interface

Here's my problem. I used to have two routers connect via T1. To back up the T1, I had a tunnel running between the two routers on their Internet-facing ethernet ports. This worked fine; if the T1 went down, traffic automatically routed across the tunnel, and the two sites stayed connected.

Recent I added a third site, with a T1 between it and my first site. I wanted to create a backup tunnel, just like I did before, but now I learn that the ethernet port on my first site's router can only be configured with a single tunnel (using the crypto map command). So apparently I can have only one tunnel assigned to this interface.

What to do? Can I use subinterfaces on my first site's Internet- facing ethernet port? If I do that, that's really going to screw up my IP addressing scheme. Or is there a way to assign two crypto maps to a router's interface, and I just don't know what it is?


Reply to
Loading thread data ...

I don't know if the 3825 has any particular crypto restrictions, but generally speaking you can only have one crypto map per interface under IOS. You can, however, have different policy number groupings for the crypto map, and the different policy number groups can establish different attributes. For example (using PIX notation)

crypto map vpn-map 1100 ipsec-isakmp crypto map vpn-map 1100 match address VPN_calgary1_acl crypto map vpn-map 1100 set peer ibdcalpixX crypto map vpn-map 1100 set transform-set vca-ea256s vpn-3-transform vc-ea256s vpn-3nat-transform vpn-transform vpn-nat-transform crypto map vpn-map 1200 ipsec-isakmp crypto map vpn-map 1200 match address VPN_calgary2_acl crypto map vpn-map 1200 set peer calessopixX crypto map vpn-map 1200 set transform-set vca-ea256s vc-ea256s vpn-3-transform vpn-3nat-transform vpn-transform vpn-nat-transform

This configures for two tunnels on the same interface, one with peer ibdcalpixX and the other with peer calessopixX . I could have used different transform sets for the two if I had reason to; and you can see that I used different ACLs ('match address') to define the traffic for each one.

Reply to
Walter Roberson

vpn-3nat-transform vpn-transform vpn-nat-transform

vpn-3nat-transform vpn-transform vpn-nat-transform

IOS like this:- Router tries 100, 200,201 in order for each request.

crypto map CrM.fred 100 ipsec-isakmp set peer x.x.x.2 set transform-set TS.3des match address 155 qos pre-classify

crypto map CrM.fred 200 ipsec-isakmp set peer y.y.y.3 set transform-set TS.3des match address ACL.CM.1

crypto map CrM.fred 201 ipsec-isakmp ......

Reply to

Just out of interest, would it not also be possible to achieve the above in the following ways:

1) Use a DMVPN and have point to multipoint on each of the remote routers Ethernet ports as a backup. This would offer encryption and allow you to terminate multiple tunnels. 2) Use multiple point to point GRE tunnels with IPSEC between the Ethernet ports of the above routers.



Reply to
Darren Green

Don't know but seems feasible.


Done a few of these now and it's very nice. Not for the beginner though I wouldn't think since it is quite hard to get your head around at first and some care has to be taken. You want to be sure where the GRE packets are actually being routed. i.e not down the tunnel, not down the other tunnel, anywhere else you don't want them to go.

Reply to
Bod43 Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.