[c-nsp] Cisco IPSEC Configuration

Righa Shake righa.shake at gmail.com
Fri Dec 17 07:33:30 EST 2010 

Chris,

Below is my sample config

!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr aes 256
 authentication pre-share


crypto isakmp key Link1 address X.X.X.X
crypto isakmp key link2 address Y.Y.Y.Y
crypto isakmp key link3 address Z.Z.Z.Z
!
!
crypto ipsec transform-set MYCRYPTO1 esp-3des esp-sha-hmac
crypto ipsec transform-set MYCRYPTO2 esp-aes 256 esp-sha-hmac
!
crypto map MYCRYPTOMAP 10 ipsec-isakmp
 set peer X.X.X.X
 set transform-set MYCRYPTO1
 match address VPNTRAFF
crypto map MYCRYPTOMAP 20 ipsec-isakmp
 set peer Y.Y.Y.Y
 set transform-set MYCRYPTO2
 match address VPNTRAFF
crypto map MYCRYPTOMAP 30 ipsec-isakmp
 set peer Z.Z.Z.Z
 set transform-set MYCRYPTO2
 match address VPNTRAFF




ip access-list extended VPNTRAFF
 permit ip 192.168.1.0 .0.0.255 10.10.10.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 10.10.11.0 0.0.0.255

!
!
!
interface FastEthernet0/1
 description LINK_TO_PROVIDER
  ip address 172.16.1.1 255.255.255.252
 ip virtual-reassembly
 crypto map MYCRYPTOMAP



on running show crypto sa

am only seeing the X.X.X.X. sessions

the other sessions dont appear

Regards,
Shake Righa



On Fri, Dec 17, 2010 at 3:55 AM, Christopher J. Wargaski
<wargo1 at gmail.com>wrote:

> Hello Shake--
>
>    There is no problem having several tunnels on the same interface,
> however, they must be in the same crypto map. Here is an example:
>
> crypto map L2L-map 1 ipsec-isakmp
>  description RMS test
>  set peer 11.22.33.44
>  set security-association lifetime seconds 86400
>  set transform-set ESP-AES-256-MD5
>  match address RMS
> crypto map L2L-map 2 ipsec-isakmp
>  description Chicago DC
>  set peer 66.77.88.99
>  set security-association lifetime seconds 86400
>  set transform-set ESP-AES-256-MD5
>  match address Chicago
> crypto map L2L-map 3 ipsec-isakmp
>  description Regina HQ
>  set peer 66.44.55.22
>  set security-association lifetime seconds 86400
>  set transform-set ESP-AES-256-MD5
>  match address Regina-HQ
>
>  ...
> interface GigabitEthernet0/0
>  description Internet - Outside
>  ip address 33.44.55.66 255.255.255.0
>  ip access-group autosec_firewall_acl in
>  no ip redirects
>  no ip unreachables
>  no ip proxy-arp
>  ip inspect autosec_inspect out
>  ip policy route-map VPN-PBR-map
>  duplex full
>  speed 100
>  no cdp enable
>  no mop enabled
>  crypto map L2L-map
>
>      Could you post a sanitized copy of your configuration?
>
> cjw
>
>
> Date: Thu, 16 Dec 2010 13:55:00 +0300
>> From: Righa Shake <righa.shake at gmail.com>
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] Cisco IPSEC Configuration
>> Message-ID:
>>        <AANLkTi=_1awiokKo3ZKxg+dzMZBSE9_fungROsamS8f1 at mail.gmail.com<1awiokKo3ZKxg%2BdzMZBSE9_fungROsamS8f1 at mail.gmail.com>
>> >
>> Content-Type: text/plain; charset=ISO-8859-1
>>
>>
>> Am having several  ipsec configurations on the same interface on a router
>>
>> however when i run the command
>> show crypto session detail command am only seeing a single session and not
>> the other session am trying to bring up.
>>
>> what could b the problem
>>
>>
>> Rgrds,
>> Shake
>>
>>

More information about the cisco-nsp mailing list