Converting crypto map to unnumbered VTI
I'm trying to convert a crypto map VPN to a ip unnumbered VTI. The crypto map has been working for months. The VTI... no so much. Here are the applicable config entries.
### original config
crypto isakmp policy 30
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address 10.1.1.10
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto map CRYPTO 50 ipsec-isakmp
set peer 10.1.1.10
set transform-set 3DES-SHA
set pfs group2
match address VPN1
ip access-list extended VPN1
permit ip host 172.16.16.10 host 10.5.5.1
permit ip host 172.16.16.10 host 10.5.5.4
I only removed the crypto map and added the following.
### New Config
crypto ipsec profile V1
set security-association lifetime seconds 28800
set transform-set 3DES-SHA
set pfs group2
interface Tunnel0
ip unnumbered FastEthernet0/0
ip nat outside
ip virtual-reassembly
tunnel source 172.16.8.1
tunnel destination 10.1.1.10
tunnel mode ipsec ipv4
tunnel protection ipsec profile V1
I keep getting this ISAKMP error now.
ISAKMP:(0:54:HW:2):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 10.1.1.10)
Any help would be greatly appreciated. Also... I have no idea what is running on the other end (it's a partner network), but I suspect it's a crypto map on IOS.
Thank you!
Access-lists, FW (ZBF, CBAC) and all other features work on SVTI same way they would work on a physical or other logical interfaces (with very few exceptions).
Similar Messages
-
Hi,
I´ve a VPN Router with VRF´s for every customer and also for the Internet Connection.
On the Router run many DMVPN´s and Static VTI.
Now I must configure a new VPN based on a crypto map.
I´ve read that it´s impossible to termnate a crypto map an a VTI on the same physical interface.
So I´ve installed a new physical interface to terminate the crypto map.
This are the configuration which insert to the running configuration:
crypto keyring KEYRING-Customer vrf OUTSIDE_CM
pre-shared-key address a.b.c.d key KEY
crypto isakmp policy 100
encr aes 256
hash sha1
group 14
authentication pre-share
ip access-list exten ACL-Customer
10 permit ip 1.2.3.4 0.0.0.255 5.6.7.8 0.0.0.255
crypto isakmp profile Customer
keyring KEYRING-Customer
match identity address a.b.c.d 255.255.255.255 OUTSIDE_CM
local-address Gig0/0
vrf Customer
crypto map CMAP 10 ipsec-isakmp
set peer a.b.c.d
set transform-set AES256
set isakmp-profile Customer
match address ACL-Customer
set pfs group14
int gig0/0
vrf forwarding Customer
ip address 1.2.3.4 255.255.255.0
crypto map CMAP
But I see nothing on the router. Whit debug crypto isakmp i can´t see any traffic for this VPN.
Where is my mistake ?
The OUTSIDE_CM VRF ist the VRF for WWW traffic.
The Customer VRF ist the Customer LAN.
Many Thanks
BR MartinMarcin,
the reason why I don´t use VTI in this case is very simple. I transfer the old VPN from a PIX and im not shure
if it possible to run this VPN with VTI, because the other side is not configured from us.
An it´s not a cisco device. What do you think.... When I´ve try to use a VTI, how the other side is checking the Crypto map ? Because, normaly, when a ASA for Example builds a VPN the device´s check which crypto map is configured on the other side and if the crypto map isn´t idetical, the VPN doesn´t came up.....
Thank´s for your help. It´s my first Router with VPN´s. Normally I use ASA´s. But I think with a router we are more flexible... QoS, OSPF etc....
BR M -
Hello
I am wondering if it is possible to have an IPSEC tunnel configuration, in which one side of the tunnel is configured with static VTI and the second with traditional crypto-map.
If yes how the configuration, on the site with crypto-map should be configured.
Thank you in advance for an answer.
Regards
LukasLukasz,
This config is impractical for a few reasons.
VTI dictates that a "any any" proxy ID set is negotiated. While this works well on virtual interface, where routing can push traffic towards a specific interface, it will cause ALL traffic to be encrypted on crypto maps side and expect all traffic to be encrypted when it's recived (since crypto map is part of OCE along the output path).
A more practical approach in Cisco world is multi SA DVTI, where a DVTI can terminate almost any kind of initiated tunnel (i.e. we allows DVTI to handle multiple SAs under one virtual interface) it works very well in some cases.
You can have DVTI on your end and allow customers to use almost anything (ranging from SVTI to crypto maps).
I'll shoot you also an email in parallel, just a bit stuck on something at the moment.
M. -
Using Crypto Maps and IPsec Static VTI's on the same router
Is it possible to configure both crypto maps and IPsec static VTI's on the same router? What platforms have this capability? What IOS version do I need?
Yes you can and as far as I know I dont think there is a hardware dependency.
VTI mode 'tunnel mode ipsec ipv4' was added in 12.3(14)T.
If you are mixing tunnel protection and crypto map ensure you use iskmp profiles to differentiate somehow that the tunnel IPSec connection is not prcessed on the crypto map!
Here is a rough example (fine tune it as needed):
crypto keyring key1
pre-shared-key address 1.1.1.1 key test123
crypto keyring key2
pre-shared-key address 7.7.7.7 key test777
crypto isakmp profile vpn1
keyring key1
match identity address 1.1.1.1 255.255.255.255
crypto isakmp profile vpn2
keyring key2
match identity address 7.7.7.7 255.255.255.255
crypto ipsec transform-set test esp-des esp-sha-hmac
crypto IPsec profile vpn-tunnel
set transform-set test
set isakmp-profile vpn1
crypto map mymap 1 ipsec-isakmp
set transform-set test
set peer 7.7.7.7
set isakmp-profile vpn2
match address 177
interface Tunnel0
ip address 10.0.51.217 255.255.255.0
tunnel source 2.2.2.2
tunnel destination 1.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile vpn-tunnel
interface Ethernet4
ip add 2.2.2.2 255.255.255.0
crypto map mymap
Regards,
Uwe -
Troubles using VRF-aware IPsec w/ crypto maps
I'm trying to get a lab setup to work with a C2951 (15.2(4)M4) peering with an ASA 5510 (9.1(2)). The config is based on crypto maps, since I want the C2951 to be the initiating side, and as far as I understand, VTIs wouldn't be working together with the ASA due to the default 'any' crypto statements that are being applied on SVTIs.
So I've set up this IKEv1-, crypto map-based lab, and the tunnel strictly won't come up; it seems that crypto doesn't find any interesting traffic at all (no debug crypto isakmp output pops up).
What I'm doing for testing is issuing a VRF Ping from a loopback interface of the C2951. I was following the following cheat sheet to configure the IOS box:
https://supportforums.cisco.com/docs/DOC-13524
Please see the attached config files and the setup drawing.
This is the way I'm testing it:
C2951#sh deb
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
C2951#
C2951#ping vrf test 10.0.0.1 source lo 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 40.0.0.1
Success rate is 0 percent (0/5)
C2951#
Any hints for me, please?There are no VRF routes left in the config, and I've cleared the global and the VRF routing table. Even rebooted the box. Still only half of the Pings get answered. There are no crypto ipsec errors, so it should have something to do with routing...but what?
C2951#sh crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: OUR-MAP, local addr 30.0.0.2
protected vrf: test
local ident (addr/mask/prot/port): (40.0.0.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
current_peer 20.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 30.0.0.2, remote crypto endpt.: 20.0.0.1
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xEB02ACDA(3942821082)
PFS (Y/N): Y, DH group: group5
inbound esp sas:
spi: 0x1A943A9F(445921951)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 18009, flow_id: ISM VPN:9, sibling_flags 80000040, crypto map: OUR-MAP
sa timing: remaining key lifetime (k/sec): (4225929/3571)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xEB02ACDA(3942821082)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 18010, flow_id: ISM VPN:10, sibling_flags 80000040, crypto map: OUR-MAP
sa timing: remaining key lifetime (k/sec): (4225928/3571)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
C2951#sh ip route 10.0.0.0
% Network not in table
C2951#sh ip route vrf test 10.0.0.0
Routing Table: test
Routing entry for 10.0.0.0/24, 1 known subnets
S 10.0.0.0 [1/0] via 20.0.0.1, GigabitEthernet0/0 -
Multiple Crypto Maps on Single Outside Interface
Hi, I had the following crypto map configured on my ASA5505 to allow Cisco IPSec VPN clients to connect from the outside:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
I'm trying now to set up an additional crypto map - a static configuration to establish a tunnel with Windows Azure services. The configuration they gave me is:
crypto map azure-crypto-map 10 match address azure-vpn-acl
crypto map azure-crypto-map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
crypto map azure-crypto-map 10 set transform-set azure-ipsec-proposal-set
crypto map azure-crypto-map interface outside
However, when I apply that configuration, my Cisco IPSec clients can no longer connect. I believe my problem is that last line:
crypto map azure-crypto-map interface outside
which blows away my original line:
crypto map outside_map interface outside
It seems I'm stuck with picking just one of the maps to apply to the outside interface. Is there a way to apply both of these maps to the outside interface to allow both IPSec tunnels to be created? We're running ASA version 8.4(7)3.Hi,
You can use the same "crypto map"
Just add
crypto map outside_map 10 match address azure-vpn-acl
crypto map outside_map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
crypto map outside_map 10 set transform-set azure-ipsec-proposal-set
Your dynamic VPN Clients will continue to work just fine as their "crypto map" statements are with the lowest priority/order in the "crypto map" configurations (65535) and the L2L VPN is higher (10)
And what I mean with the above is that when a L2L VPN connections is formed from the remote end it will naturally match the L2L VPN configurations you have with "crypto map" configurations using the number "10". Then when a VPN Client connects it will naturally not match the number "10" specific configurations and will move to the next entry and will match it (65535)
If you would happen to configure a new L2L VPN connection then you could give it the number "11" for example and everything would still be fine.
Hope this helps
- Jouni -
Which interface does "crypto map vpn" get assigned to?
I'm setting up a site to site vpn and have been reading some examples, but my 871 uses a vlan so it confuses me a bit. Do I assign the statement crypto map vpn to the vlan1 interface or fe4 which is my WAN side.
Sander
If we knew more about your environment we might be able to give better answers. In general the crypto map is assigned to the outbound layer 3 interface. But I can not tell from your description whether fe4 or VLAN 1 is the outbound layer 3 interface. Does fe4 have an IP configured on it? If so then perhaps it is the outbound layer 3 interface and gets the crypto map. Or perhaps VLAN 1 is the outbound layer 3 interface and gets the crypto map.
If this helps you figure it out that is good. Otherwise perhaps you can provide some clarification of the environment.
HTH
Rick
Sent from Cisco Technical Support iPhone App -
Site to Site VPN working without Crypto Map (ASA 8.2(1))
Hi All,
Found a strange situation on our ASA5540 firewall :
We have couple Site to Site VPNs and also enable cleint VPN on the ASA, all are working fine. But found a Site to Site VPN is up and running without crypto map configuration. Is it possible ?
I tried to clear isa sa and clear ipsec sa then the VPN came up again. Also tested it's pingable to remote site thru the VPN.
I did see there is tunnel-group config for the VPN but didn't see any crypto map and ACL.
How does Firewall know which traffic need be encrypted to this VPN tunnel without crypto map?
Is it the bug ?
Thanks in advance,It might be an easy vpn setup.
Could you post a running config output remove any sensitive info. This could help us answer your question more exactly. -
[ERR]crypto map WARNING: This crypto map is incomplete
i have PIX 501 ver6.3(5) when i setup VPN i get this error message
WARNING:This crypto map is incomplete to remedy the situation add a peer and a valid access-list to this crypto map.
although it seems fine in sh conf command
but tunnel is not started
when i review log i found
sa_request,ISAKMP Phase 1 exchange startedi could successfully establish VPN with another FW cisco 501 6.3
but still can't fix my dilemma which i connect to Huawei Eudemon 500â
sh isakmp
PIX Version 6.3(5)â
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0â
nameif ethernet1 inside security100 â
access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP1â
access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP2â
access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP1â
access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP2 â
global (outside) 1 interfaceâ
nat (inside) 0 access-list inside_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac â
crypto ipsec security-association lifetime seconds 3600â
crypto map outside_map 100 ipsec-isakmp
crypto map outside_map 100 match address outside_cryptomap_100â
crypto map outside_map 100 set peer remote peer
crypto map outside_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 100 set security-association lifetime seconds 3600 kilobytes 1843200â
crypto map outside_map interface outside
isakmp enable outside
â â
isakmp key ******** address remote peer netmask 255.255.255.255 no-xauth no-config-mode â
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash shaâ
isakmp policy 20 group 2â
isakmp policy 20 lifetime 86400â
sh crypto map
Crypto Map: "outside_map" interfaces: { outside }â
Crypto Map "outside_map" 100 ipsec-isakmp
Peer = remote peer
access-list outside_cryptomap_100; 2 elementsâ
access-list outside_cryptomap_100 line 1 permit ip host 10.102.0.11 host remote internal IP1 ââ(hitcnt=14) â
access-list outside_cryptomap_100 line 2 permit ip host 10.102.0.11 host remote internal IP2 ââ(hitcnt=6) â
Current peer: remote peer
Security association lifetime: 1843200 kilobytes/3600 secondsâ
PFS (Y/N): N
Transform sets={ ESP-3DES-SHA, }â
Crypto Map: "set" interfaces: { }â -
Crypto Map on Loopback interface or Physical Interface
Dear All,
When we try to apply the crypto map on any physical interface or the loopback interface on WS-6506-E, it is showing the error. But the same i could apply on VLAN interface. Can anyone explain me what is the issue..?
6506(config)#interface loopback 3
6506(config-if)#crypto map XXXX
ERROR: Crypto Map configuration is not supported on the given interface
Any hardware limitation?This was proven to break CEF in the past and is a bad design choice by default.
Newer release do not allow you to configure this.
If you're curious if it will work for you check releases prior to 15.x.
M. -
I am not able to remove crypto map SONZOGNI^@
Please,show me the command to remove crypto map SONZOGNI^@ .
Command "no crypto map SONZOGNI^@" doesn't work,the response is crypto map unexisting.
The Router model is 3640.
Thanks
12.0
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
boot system flash:c3640-is40-mz.120-24.bin
logging buffered 32000 debugging
no logging console
ip subnet-zero
no ip source-route
no ip finger
no ip domain-lookup
isdn switch-type primary-net5
crypto map SONZOGNI^@ 1
set peer cisco-sonzogni
match address sonzogni-encrypt
clock timezone CET 1
clock summer-time CET-SUM recurring last Sun Mar 3:00 last Sun Oct 3:00
call-history-mib max-size 200Try no crypto map SONZOGNI^@" 1, you have to mention the 1 also.
-
Crypto map mymap command I am not familiar with
I have the following commands in a new pix I am taking over and I am not sure what they do?
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
any help would be appreciatedHi .. they are used for remote VPNs:
1.- crypto map mymap client configuration address initiate
explanation: Use the crypto map mymap for remote vpn clients and the PIX Firewall will attempt to set IP addresses for each client.
2.- crypto map mymap client configuration address respond
explanation: Use the crypto map mymap for remote vpn clients and the PIX Firewall will accept requests for IP addresses from any
requesting client.
I hope it helps .. please rate if it does !! -
Here our provider links all our sites via point to point crypto maps on a wes circuit, will all these point to point maps be on there own /30 masks, how are these set up with regards to addressing etc ?
Hi Carl,
As far as crypto maps are concerned, the peer address configured in the crypto map should be reachable. It doesn't matter that it needs.
Mostly the peers are located far away from each other, with ip connectivity between them.
-VJ -
Crypto map on PIX versus router
Hi all,
i am looking for eqvivalent of IOS command:
crypto map xxx local-address Loopback0
Is it possible to link crypto map with other IP address as real interface address on PIX?
Thank you in advance.Hi Rick,
now we have two gateways in our company. One is used for VPN traffic, x.x.x.254 and second is used for normal traffic.
Now we want to unified these gateways to one PIX ... and i am looking for simplest way.
For us, the simplest way is to use crypto map on PIX with IP address x.x.x.254 but with ip address of physical interface x.x.x.y.
Now i know, that it is not possible to do it on PIX ... so i am looking for another solutions.
Problem is, that we have our bussines partners, that know our actual IP ... and have firewalls opened for that IP :)
I think that best solution will be NATing traffic to these customers to old IP.
Thanks for your info. -
Hi all, when doing an access list for encrypting traffic on a crypto map, what kind of access list do you use, and do you permit destination traffic to be encrypted or source ?
Carl,
Extended ACLs are used to define interesting traffic which needs to be encrypted.
access-list 101
hope this helps ...
Maybe you are looking for
-
I cannot get more than one photo to appear in the "order prints" section of iPhoto at a time. How do I move several photos over to order prints?
-
Converting XML string to Element Type
Im receiving an XML document as a String. I have defined an element whose message type is of the same schema as the XML String. How can i assign this string to this element in BPEL? im using the setVariable function as follows: setVariableData("Custo
-
The project has been working fine, but for some reason we've reconnected all the media. It's all there, and plays fine, but some clips are still showing the off-line logo on the time line or in the bins. If I click on one of them in the bins, it seem
-
Can I download a trial of Flash Pro 5.5 or earlier for Mac? I can't support CS6.
Can I download a trial of Flash Pro 5.5 or earlier for Mac? I can't support CS6. Looked everywhere and can't seem to find it.
-
Situation: Can not execute transaction "PPOM" Network diagnosis: data packets lost Solution: 1. move VPN end point from Cyberguard to Cisco VPN concentrator (3020). 2. add a new public IP network to avoid having to NAT