[c-nsp] crypto map working on outbound interface, need it to work on inbound interface

Joseph Mays mays at win.net
Tue Dec 13 17:22:38 EST 2011 

So, in the example below, will this cause the vpn to connect to the peer 
from FastEthernet0/0, but identify as the ip address of FastEthernet1/1?

crypto map WinnetToSyniverse local-address FastEthernet1/1
crypto map WinnetToSyniverse 20 ipsec-isakmp
 description PHL-3845-SS7-VPN router
 set peer 65.119.118.136
 set transform-set TSI2
 match address PHL-3845-SS7-VPN
!
!
!
interface FastEthernet0/0
 ip address 216.135.80.50 255.255.255.252
 duplex auto
 speed auto
 crypto map WinnetToSyniverse

----- Original Message ----- 
From: "Joseph Mays" <mays at win.net>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, December 13, 2011 3:41 PM
Subject: [c-nsp] crypto map working on outbound interface,need it to work on 
inbound interface


> Have a crypto map that was working to build a tunnel between 65.119.118.75 
> and 24.235.0.25. Peers for the vpn tunnel were 24.235.0.26 and 
> 65.119.118.136. Due to some network changes 24.235.0.26, which was the 
> egress interface toward the remote end, is now an ingress interface. 
> Still, I don't see why this should matter. The access list is the same, 
> it's just traffic coming in through the interface rather than out of it.
>
> Crypto Map "WinnetToSyniverse" 20 ipsec-isakmp
>        Description: PHL-3845-SS7-VPN router
>        Peer = 65.119.118.136
>        Extended IP access list PHL-3845-SS7-VPN
>            access-list PHL-3845-SS7-VPN permit ip host 24.235.0.25 host 
> 65.119.118.76
>        Current peer: 65.119.118.136
>        Security association lifetime: 4608000 kilobytes/3600 seconds
>        PFS (Y/N): N
>        Transform sets={
>                TSI2,
>        }
>        Interfaces using crypto map WinnetToSyniverse:
>               FastEthernet1/1
>
> The packets for the access list should match regardless of direction, but 
> it acts like it's not matching packets to the access list and not even 
> trying to start the vpn.
>
> Router#show crypto isakmp sa
> dst             src             state          conn-id slot status
>
> Nothing there.
>
> I can ping 65.119.118.136 from the router even when I set the source 
> address to the address of the ingress interface, 24.235.0.26, and can ping 
> the host we are trying to talk to across the vpn, 65.119.118.76, from 
> 24.235.0.25.
>
> I moved the crypto map command to the outside interface and it started 
> matching packets tried to bring the vpn tunnel up, but that failed, I'm 
> guessing because the source address changed to the address of the egress 
> interface, which would not be the address configured in the remote side. 
> So I want to use the ingress interface and its address so we don't have to 
> go through a complex process to get the other side to reconfigure.
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list