[c-nsp] crypto map working on outbound interface, need it to work on inbound interface

Joseph Mays mays at win.net
Tue Dec 13 17:22:38 EST 2011

So, in the example below, will this cause the vpn to connect to the peer 
from FastEthernet0/0, but identify as the ip address of FastEthernet1/1?

crypto map WinnetToSyniverse local-address FastEthernet1/1
crypto map WinnetToSyniverse 20 ipsec-isakmp
 description PHL-3845-SS7-VPN router
 set peer
 set transform-set TSI2
 match address PHL-3845-SS7-VPN
interface FastEthernet0/0
 ip address
 duplex auto
 speed auto
 crypto map WinnetToSyniverse

----- Original Message ----- 
From: "Joseph Mays" <mays at win.net>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, December 13, 2011 3:41 PM
Subject: [c-nsp] crypto map working on outbound interface,need it to work on 
inbound interface

> Have a crypto map that was working to build a tunnel between 
> and Peers for the vpn tunnel were and 
> Due to some network changes, which was the 
> egress interface toward the remote end, is now an ingress interface. 
> Still, I don't see why this should matter. The access list is the same, 
> it's just traffic coming in through the interface rather than out of it.
> Crypto Map "WinnetToSyniverse" 20 ipsec-isakmp
>        Description: PHL-3845-SS7-VPN router
>        Peer =
>        Extended IP access list PHL-3845-SS7-VPN
>            access-list PHL-3845-SS7-VPN permit ip host host 
>        Current peer:
>        Security association lifetime: 4608000 kilobytes/3600 seconds
>        PFS (Y/N): N
>        Transform sets={
>                TSI2,
>        }
>        Interfaces using crypto map WinnetToSyniverse:
>               FastEthernet1/1
> The packets for the access list should match regardless of direction, but 
> it acts like it's not matching packets to the access list and not even 
> trying to start the vpn.
> Router#show crypto isakmp sa
> dst             src             state          conn-id slot status
> Nothing there.
> I can ping from the router even when I set the source 
> address to the address of the ingress interface,, and can ping 
> the host we are trying to talk to across the vpn,, from 
> I moved the crypto map command to the outside interface and it started 
> matching packets tried to bring the vpn tunnel up, but that failed, I'm 
> guessing because the source address changed to the address of the egress 
> interface, which would not be the address configured in the remote side. 
> So I want to use the ingress interface and its address so we don't have to 
> go through a complex process to get the other side to reconfigure.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 

More information about the cisco-nsp mailing list