[VPN] Cisco VPN questions
Dana J. Dawson
djdawso at qwest.com
Wed Jun 18 11:39:15 EDT 2003
The crypto map thing is essentially a quirk of IOS from what I hear from Cisco,
so there's not a lot of logic behind it. Also, you can apply the crypto map to
just the tunnel interface and run IPSec through the GRE tunnel rather than the
more common GRE through IPSec. This isn't an officially supported
configuration, but it works and is sometimes handy. According to one of the
senior Cisco TAC engineers who works on VPN stuff it should continue to work for
the foreseeable future.
I just tried the "match address" command in a box running 12.1(13) and it
appears to support named access lists, so that would eliminate the 100 list
limit if you can't or don't want to run DMVPN. If you're interested in learning
more about DMVPN, here's a URL that describes it that's not too bad:
Dana J. Dawson djdawso at qwest.com
Senior Staff Engineer CCIE #1937
Qwest Communications (612) 664-3364
600 Stinson Blvd., Suite 1S (612) 664-4779 (FAX)
Minneapolis MN 55413-2620
"Hard is where the money is."
Chris Flory wrote:
> In a router-to-router VPN configuration, what is the purpose of applying
> a crypto map statement to both a tunnel interface and an outgoing
> physical interface that the tunnel is routed on?
> It seems to me as though I am double encrypting my data. I know that if
> I don't have them applied to both interfaces, it breaks the IPSec
> connection, but I am just curious.
> Also, if I have to create several crypto maps off of a hub router, and
> those crypto maps total up to be more than the 99 extended access-lists
> I am allowed to match my crypto maps on, what are my options for
> allowing connectivity to each remote peer? DMVPN is what I am being
> told, but I am unclear as to how this is suppose to function.
More information about the VPN