[c-nsp] dynamic crypto maps and multiple endpoints?

Michael Markstaller mm at elabnet.de
Sat Apr 23 05:13:09 EDT 2005


crypto isakmp profiles were added in 12.2(15)T so this won't help probably as gert wrote about "old IOS"..
I have some doub wether it will work that way, because with match identity address 0.0.0.0 0.0.0.0 you'll always end up in SITE_1-profile with your IKE SA.

Michael

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sebastian
Sent: Friday, April 22, 2005 10:19 PM
To: Gert Doering
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] dynamic crypto maps and multiple endpoints?


Hi Gert,

Did you try that way:

crypto keyring SITE_1
 crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 !
crypto keyring SITE_2
 crypto isakmp key OtherCisco address 0.0.0.0 0.0.0.0 !
crypto ipsec transform-set rtpset esp-des esp-md5-hmac !
crypto isakmp profile SITE_1-profile
   keyring SITE_1
   match identity address 0.0.0.0 0.0.0.0 !
crypto isakmp profile SITE_2-profile
   keyring SITE_2
   match identity address 0.0.0.0 0.0.0.0 !
crypto dynamic-map SITE_1-map 10
 set transform-set rtpset
 set isakmp-profile SITE_1-profile
 reverse-route
!
crypto dynamic-map SITE_2-map 10
 set transform-set rtpset
 set isakmp-profile SITE_2-profile
 reverse-route
!
crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap

As I vreated it on the fly, it is possibel I made a mistake, but basicly it is the way it works at my lab.
There is no ACL here, because I do not need them, if you do, please try to apply them acc. to your needs.

Hope this helps

Sebastian





More information about the cisco-nsp mailing list