[c-nsp] crypto map working on outbound interface, need it to work on inbound interface

Joseph Mays mays at win.net
Tue Dec 13 15:41:42 EST 2011

Have a crypto map that was working to build a tunnel between 
and Peers for the vpn tunnel were and Due to some network changes, which was the 
egress interface toward the remote end, is now an ingress interface. Still, 
I don't see why this should matter. The access list is the same, it's just 
traffic coming in through the interface rather than out of it.

Crypto Map "WinnetToSyniverse" 20 ipsec-isakmp
        Description: PHL-3845-SS7-VPN router
        Peer =
        Extended IP access list PHL-3845-SS7-VPN
            access-list PHL-3845-SS7-VPN permit ip host host
        Current peer:
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
        Interfaces using crypto map WinnetToSyniverse:

The packets for the access list should match regardless of direction, but it 
acts like it's not matching packets to the access list and not even trying 
to start the vpn.

Router#show crypto isakmp sa
dst             src             state          conn-id slot status

Nothing there.

I can ping from the router even when I set the source address 
to the address of the ingress interface,, and can ping the host 
we are trying to talk to across the vpn,, from

I moved the crypto map command to the outside interface and it started 
matching packets tried to bring the vpn tunnel up, but that failed, I'm 
guessing because the source address changed to the address of the egress 
interface, which would not be the address configured in the remote side. So 
I want to use the ingress interface and its address so we don't have to go 
through a complex process to get the other side to reconfigure.

More information about the cisco-nsp mailing list