Courseiva
VPNCrypto Map Config

set peer [ip]

Specifies the IP address of the remote VPN peer for an IPsec crypto map entry, defining the endpoint for the VPN tunnel.

Syntax·Crypto Map Config
set peer [ip]

When to Use This Command

  • Configuring a site-to-site VPN between two branch offices where each router needs to know the peer's public IP.
  • Setting up a remote access VPN where the headend router specifies the peer IP of the remote client or another gateway.
  • Defining multiple peers for redundancy in a VPN configuration by using multiple crypto map entries with different peer IPs.
  • Changing the peer IP address when the remote endpoint's IP changes due to ISP reconfiguration.

Command Examples

Basic peer assignment for site-to-site VPN

set peer 203.0.113.5

This command sets the remote VPN peer IP address to 203.0.113.5. No output is displayed upon successful configuration. Use 'show crypto map' to verify.

Verifying peer configuration in crypto map

show crypto map
Crypto Map "MYMAP" 10 ipsec-isakmp
    Peer = 203.0.113.5
    Extended IP access list 101
        access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
    Current peer: 203.0.113.5
    Security association lifetime: 4608000 kilobytes/3600 seconds
    PFS (Y/N): N
    Transform sets={ TS1, }
    Interfaces using crypto map MYMAP: GigabitEthernet0/0

The output shows the crypto map 'MYMAP' with sequence 10. 'Peer = 203.0.113.5' confirms the configured peer. 'Current peer' indicates the active peer. The ACL defines traffic to protect. Lifetime and transform sets are also displayed.

Understanding the Output

The 'set peer' command itself produces no output. To verify, use 'show crypto map'. The output lists each crypto map entry with its sequence number, peer IP, ACL, lifetime, PFS setting, transform sets, and interfaces. The 'Peer' field shows the configured remote IP. 'Current peer' indicates the active peer if multiple are configured. A missing peer or incorrect IP means the VPN will not establish. Ensure the peer IP is reachable and matches the remote device's configuration.

CCNA Exam Tips

1.

Remember that 'set peer' is configured in crypto map config mode, not global config.

2.

The peer IP must be the public IP of the remote VPN device; private IPs are used only if both endpoints are on the same network.

3.

You can configure multiple peers per crypto map by using different sequence numbers; the router will try them in order.

4.

The 'set peer' command is required for IPsec VPNs; without it, the crypto map is incomplete.

Common Mistakes

Forgetting to enter crypto map config mode before using 'set peer' (e.g., typing it in global config).

Using a private IP address for the peer when the remote device is behind NAT; the peer IP must be the public IP after NAT.

Configuring the peer IP incorrectly (typo) leading to failed VPN establishment.

Not verifying reachability to the peer IP before troubleshooting VPN issues.

Related Commands

show crypto map

Displays the configured crypto map entries, including their match criteria, peer addresses, and transform sets, used to verify IPsec VPN policy configuration.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions