Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IOS VPN - Transform-set ?

Status
Not open for further replies.
Rearview

Rearview

MIS
Joined
May 28, 2002
Messages
150
Location
US
Okay, I ahve three remote sites connected via Cisco IOS VPNs. I have a 2611 at my main location, and 1710s at the remote sites, all with a VPN AIM. Each site has its own crypto isakmp key and each site is set up as a different peer (of course). But, It is currently set up where they all share the same Transform-set. Is this okay? Would it improve speed if I had three seperate transform-sets? (am I sending all three sites' traffic to all three sites, instead of only each site's traffic to that specific site?) An example of my setup on the 2611 is below. Thanks in advance,

crypto isakmp policy 1
authentication pre-share
crypto isakmp key blah1 address 14.2.33.43
crypto isakmp key blah2 address 34.4.25.67
crypto isakmp key blah3 address 63.7.18.99
!
!
crypto ipsec transform-set TRANS1 esp-3des esp-md5-hmac
!
crypto map CRYPT local-address Ethernet0/0
crypto map CRYPT 1 ipsec-isakmp
set peer 14.2.33.43
set peer 34.4.25.67
set peer 63.7.18.99
set transform-set TRANS1
match address 100
 
Sort by date Sort by votes
transform set is just the set of security protocols that will be used, it is OK if they are all the same. As a matter of fact, it is probably preferred.


commsguy

 
Upvote 0 Downvote
Hey, thanks a lot. I just wanted to make sure... One site is much slower than the rest. But their pings have a higher time, and I attribute it to this.
 
Upvote 0 Downvote
Another Q...

If you will notice, they are all set to match address 100. Here is Access list 100:

access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.64.0 0.0.0.255
access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.65.0 0.0.0.255
access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.66.0 0.0.0.255

Should I have those as three different access lists? Is THIS causing me to have slower VPNs than optimal?
 
Upvote 0 Downvote
i am assuming that 172.16.64.X, 172.16.65.X, 172.16.66.X

are the remote networks. Yes this could be causing problems, they should be mapped separately only to the peer that has that network.

If you can post your full config, i can make some suggested changes.



commsguy

 
Upvote 0 Downvote
Yes, those are my remote network internal IP addresses (well,not the exact addresses I am using, but that is what they represent).

I think I have it under control now. I just seperated the one crypto map I had into three with different sequence numbers, and gave each its own access-list with only one entry - allow traffic that matches the remote network's internal IP range. I don't know if this has helped the VPN speeds, but it certainly isn't going to hurt :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
544
CPM86
CPM86
quazimotto
  • Locked
  • Question Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
316
quazimotto
quazimotto
inlsp05
  • Locked
  • Question Question
2811 ios start with cf
Replies
0
Views
338
inlsp05
inlsp05
dogg1
  • Locked
  • Question Question
CUCM SNMP Set Command
Replies
1
Views
655
whykap
whykap
mikey789
  • Locked
  • Question Question
Anyone Know How cisco Calculates CRC on IOS When Decompressing ?
Replies
1
Views
357
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top