[c-nsp] dynamic crypto maps and multiple endpoints?
Michael Markstaller
mm at elabnet.de
Sat Apr 23 05:13:09 EDT 2005
crypto isakmp profiles were added in 12.2(15)T so this won't help probably as gert wrote about "old IOS"..
I have some doub wether it will work that way, because with match identity address 0.0.0.0 0.0.0.0 you'll always end up in SITE_1-profile with your IKE SA.
Michael
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sebastian
Sent: Friday, April 22, 2005 10:19 PM
To: Gert Doering
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] dynamic crypto maps and multiple endpoints?
Hi Gert,
Did you try that way:
crypto keyring SITE_1
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 !
crypto keyring SITE_2
crypto isakmp key OtherCisco address 0.0.0.0 0.0.0.0 !
crypto ipsec transform-set rtpset esp-des esp-md5-hmac !
crypto isakmp profile SITE_1-profile
keyring SITE_1
match identity address 0.0.0.0 0.0.0.0 !
crypto isakmp profile SITE_2-profile
keyring SITE_2
match identity address 0.0.0.0 0.0.0.0 !
crypto dynamic-map SITE_1-map 10
set transform-set rtpset
set isakmp-profile SITE_1-profile
reverse-route
!
crypto dynamic-map SITE_2-map 10
set transform-set rtpset
set isakmp-profile SITE_2-profile
reverse-route
!
crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap
As I vreated it on the fly, it is possibel I made a mistake, but basicly it is the way it works at my lab.
There is no ACL here, because I do not need them, if you do, please try to apply them acc. to your needs.
Hope this helps
Sebastian
More information about the cisco-nsp
mailing list