Crypto map on interfaces.

kpjunglekpjungle Member Posts: 426
in CCNP
Hi Guys/Girls,

I am reading up on VTI's (Virtual Tunnel Interfaces) and crypto maps. I am a bit confused why you would have to apply the crypto map to both the vti and the physical interface you are exiting?

ie. (crypto map MYMAP)

I cant seem to get it working with the crypto map on just the vti itself. Anyone got some info on this?
Studying for CCNP (All done)
· Share on FacebookShare on Twitter

Comments

  • networker050184networker050184 Mod Posts: 11,962 Mod
    If you are using the VTI you only need a crypto policy applied to the tunnel interface. No crypto maps needed as all traffic traversing the tunnel will be encrypted.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • kpjunglekpjungle Member Posts: 426
    networker050184 wrote:
    If you are using the VTI you only need a crypto policy applied to the tunnel interface. No crypto maps needed as all traffic traversing the tunnel will be encrypted.

    True, but why when you use a map do you need it both on the vti and the physical interface, thats what eludes me i think.
    Studying for CCNP (All done)
    · Share on FacebookShare on Twitter
  • networker050184networker050184 Mod Posts: 11,962 Mod
    kpjungle wrote:
    networker050184 wrote:
    If you are using the VTI you only need a crypto policy applied to the tunnel interface. No crypto maps needed as all traffic traversing the tunnel will be encrypted.

    True, but why when you use a map do you need it both on the vti and the physical interface, thats what eludes me i think.

    I don't see why you would, but I have never tried it. Will lab it up when I get time. Maybe someone else will come along with some more info.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • gojericho0gojericho0 Member Posts: 1,059 ■■■□□□□□□□
    I think the beauty of the VTI is you do not even need a crypto-map (you create an IPsec policy to match your transform-set). It makes configuration quite simple, allows for dynamic routing, and you do not have the GRE overhead. You just have to make sure when configuring the tunnel interface you use ipv4 tunnel protection for your lab

    http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html

    EDIT: Also note the Ipsec Profile, this takes place of your crypto map. No match clauses are used because your end points are defined in the tunnel and everything is encrypted. So all basically you have to set is your transform set
    · Share on FacebookShare on Twitter
  • kpjunglekpjungle Member Posts: 426
    gojericho0 wrote:
    I think the beauty of the VTI is you do not even need a crypto-map (you create an IPsec policy to match your transform-set). It makes configuration quite simple, allows for dynamic routing, and you do not have the GRE overhead. You just have to make sure when configuring the tunnel interface you use ipv4 tunnel protection for your lab

    http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html

    EDIT: Also note the Ipsec Profile, this takes place of your crypto map. No match clauses are used because your end points are defined in the tunnel and everything is encrypted. So all basically you have to set is your transform set

    Yeah, I noticed that as well, it simplifies things, it was just that the ISCW stuff seems to only mention crypto maps. With profiles i can see that the tunnel mode is ipsec ipv4, and not gre ip, which is a bit confusing reading only ISCW material, in which its stated that only GRE can carry routing protocols?
    Studying for CCNP (All done)
    · Share on FacebookShare on Twitter
  • gojericho0gojericho0 Member Posts: 1,059 ■■■□□□□□□□
    The VTI's are are fairly new and I would use them unless another device you are tunneling to does not support them.

    They are not tested in the ISCW, but its still good to know. Thats part of the reason its taking me so long to study mine. I keep going off on tangents just to see alternatives and evaluate what is best for various solutions. Here is another good link if you are interested:

    http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008074f22f.pdf

    Its out of scope of the exam, but gives you the pros/cons of each IPsec solution and when you might want to use them
    · Share on FacebookShare on Twitter
  • kpjunglekpjungle Member Posts: 426
    gojericho0 wrote:
    The VTI's are are fairly new and I would use them unless another device you are tunneling to does not support them.

    They are not tested in the ISCW, but its still good to know. Thats part of the reason its taking me so long to study mine. I keep going off on tangents just to see alternatives and evaluate what is best for various solutions. Here is another good link if you are interested:

    http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008074f22f.pdf

    Its out of scope of the exam, but gives you the pros/cons of each IPsec solution and when you might want to use them

    Thanks! yeah, it kinda bothers me not to know the nuts and bolts of IPsec, its like they just touch the surface on the ISCW, which, for me at least, makes it hard to learn.
    Studying for CCNP (All done)
    · Share on FacebookShare on Twitter
Sign In or Register to comment.