[VPN] Cisco VPN questions

Dana J. Dawson djdawso at qwest.com
Wed Jun 18 11:39:15 EDT 2003

The crypto map thing is essentially a quirk of IOS from what I hear from Cisco, 
so there's not a lot of logic behind it.  Also, you can apply the crypto map to 
just the tunnel interface and run IPSec through the GRE tunnel rather than the 
more common GRE through IPSec.  This isn't an officially supported 
configuration, but it works and is sometimes handy.  According to one of the 
senior Cisco TAC engineers who works on VPN stuff it should continue to work for 
the foreseeable future.

I just tried the "match address" command in a box running 12.1(13) and it 
appears to support named access lists, so that would eliminate the 100 list 
limit if you can't or don't want to run DMVPN.  If you're interested in learning 
more about DMVPN, here's a URL that describes it that's not too bad:





Dana J. Dawson                     djdawso at qwest.com
Senior Staff Engineer              CCIE #1937
Qwest Communications               (612) 664-3364
600 Stinson Blvd., Suite 1S        (612) 664-4779 (FAX)
Minneapolis  MN  55413-2620

"Hard is where the money is."

Chris Flory wrote:
> In a router-to-router VPN configuration, what is the purpose of applying 
> a crypto map statement to both a tunnel interface and an outgoing 
> physical interface that the tunnel is routed on?
> It seems to me as though I am double encrypting my data.  I know that if 
> I don't have them applied to both interfaces, it breaks the IPSec 
> connection, but I am just curious.
> Also, if I have to create several crypto maps off of a hub router, and 
> those crypto maps total up to be more than the 99 extended access-lists 
> I am allowed to match my crypto maps on, what are my options for 
> allowing connectivity to each remote peer?  DMVPN is what I am being 
> told, but I am unclear as to how this is suppose to function.
> TIA!
> -Chris

More information about the VPN mailing list