crypto-auto-ipsec-tunnel commands

Enables the controller to uniquely identify APs and the hosts present in the AP‘s subnet. This allows the controller to correctly identify the destination host and create a dynamic site-to-site VPN tunnel between the host and the private network behind the controller.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000


ip nat crypto


ip nat crypto
ip nat crypto Enables unique identification of APs and the hosts present in each AP‘s subnet

Providing a unique ID enables the access point, wireless controller, or service platform to uniquely identify the destination device. This is essential in networks where there are multiple APs behind a router, or when two (or more) APs behind two (or more) different routers have the same IP address. Further, the same subnet exists behind these APs.

For example, let us consider a scenario where there are two APs (A and B) behind two routers (1 and 2). AP ‘A‘ is behind router ‘1‘. And AP ‘B‘ is behind router ‘2‘. Both these APs have the same IP address ( The subnet behind APs A and B is also the same ( In such a scenario the controller fails to uniquely identify the hosts present in either AP‘s subnet.

For more information, see remotegw and crypto.


rfs4000-229D58config-profile-testRFS4000-crypto-auto-ipsec-secure)#ip nat crypto

rfs4000-229D58config-profile-testRFS4000-crypto-auto-ipsec-secure)#show context
 crypto auto-ipsec-secure
  remotegw ike-version ikev2 uniqueid
  ip nat crypto