Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
615
Views
0
Helpful
4
Replies

PIX-to-Router - IPSec and GRE Tunnel on Same Interface?

mmandel
Level 1
Level 1

‎01-17-2005 01:13 PM - edited ‎02-21-2020 01:33 PM

I have multiple vpns at my remote sites, they are all using GRE Tunnel to terminate from router-to-router.

The cryptos are using my serial0 interface. (hub site).

I want to incorporate a remote site that has a PIX506E, using IPSec.

Question: Can I use both GRE (router-to-router) VPNs, and IPSec (PIX-to-router) VPNs on the same interface?

Hub: 3700 GRE Tunnel on Serial0 w/NAT

Spoke: 1700 GRE Tunnel to Hub

Spoke: PIX506E IPSec Tunnel to Hub (one in question)

Is this posssible?

Labels:
0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎01-17-2005 01:55 PM

Yep, that should be fine. Really the hub router crypto map has no concept that you're doing GRE/IPSec, all it checks for is matches to its crypto access-lists, which you would have specified as "permit gre from tunnel source to tunnel dest". Because your routing table will show that to get to the remote sites it has to route over the particular GRE tunnel, the original packet will be encapsulated in GRE and the access-list will match.

All you need to do is add another crypto map instance to your existing crypto map on the Serial int, and define the remote peer (PIX) and transform set as normal. When you define the access-list it will be from your network behind the hub router to the network behind the PIX, rather than just the GRE traffic over the tunnel. The hub routers' routing table will have to show that to get to the PIX peer address and to the network behind the PIX that it sends the traffic straight out the Serial int.

0 Helpful

mmandel
Level 1
Level 1
In response to gfullage

‎01-17-2005 03:02 PM

Oh wow, that is excellent news. I didn't think I could create multiple crypto maps on same interface.

I will try that, ..and report back!

Thanks for your help.

0 Helpful

mmandel
Level 1
Level 1
In response to gfullage

‎01-17-2005 03:23 PM

Uhh, that didn't work?

When I created a new crypto map, and applied it to the Serial interface, it replace the map that was already there, and it broke my GRE Tunnels.

Please advise?

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to mmandel

‎01-17-2005 08:27 PM

Woah there, I didn't say create a 2nd crypto map, I said create a new instance of the same crypto map, my apologies if I wasn't clear enough. As you've just found out, you cna only have one crypto map on an interface.

0 Helpful
Customers Also Viewed These Support Documents