topic Re: Different IPSEC tunnel source within the same CryptoMap in Network Security

Different IPSEC tunnel source within the same CryptoMap

Netnux — Thu, 05 Oct 2023 12:03:02 GMT

Hello.
I have an IOS Router with a single outbound link, terminating more than one IPSEC tunnel.
I'd want some of the tunnels to be terminated on a loopback interface, and some other on the outside interface itself

Currently, I have a single crypto map applied to the outboud interface (eth 0/0.2 in the diagram below)
All the tunnels having 2.2.2.2 as a peer work, but the others terminating on the loopback interface do not.
If I use "local-address Loopback 2" command, all the tunnels terminating on the loopback 2 interface will work, but all the other tunnels terminating on the outside interface will stop working, of course.

Is there a way to have both the tunnels working, let's say, configuring a different local-address for each entry of the crypto map?
I put below a snippet of the config ed a brief diagram.

Thank you very much for your help

crypto isakmp profile PF_TEST_10
keyring KR-TEST
match identity address 3.3.3.3 255.255.255.255

crypto isakmp profile PF_TEST_20
keyring KR-TEST
match identity address 4.4.4.4 255.255.255.255

crypto map TEST local-address Loopback 2
crypto map TEST 10 ipsec-isakmp
set peer 3.3.3.3
set security-association lifetime seconds 86400
set transform-set TEST_TS
set pfs group2
set isakmp-profile PF_TEST_10
match address ACL_TEST_10
qos pre-classify
crypto map TEST 20 ipsec-isakmp
set peer 4.4.4.4
set security-association lifetime seconds 86400
set transform-set TEST_TS
set pfs group2
set isakmp-profile PF_TEST_20
match address ACL_TEST_20

Re: Different IPSEC tunnel source within the same CryptoMap

MHM Cisco World — Thu, 05 Oct 2023 14:51:13 GMT

The LO can use as VPN' but issue here is forwarding traffic to LO to encrypt and decrypt.

You need to config PBR in outisde and Inside to forward traffic to/from via LO.

Re: Different IPSEC tunnel source within the same CryptoMap

tvotna — Thu, 05 Oct 2023 15:02:40 GMT

You can use Multi-SA SVTI feature, i.e. replace crypto maps with tunnel interfaces and configure "tunnel protection ipsec policy ipv4 <ACL>" to negotiate specific subnets you need. The "reverse-route" CLI in the IPsec profile will add routes automatically via tunnel interfaces and you can source each tunnel from a different IP address. And you need to do this only on the headend device. Peers can continue using crypto maps.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-16-12/sec-sec-for-vpns-w-ipsec-xe-16-12-book/sec-ipsec-virt-tunnl.html?dtid=osscdc000283#reference_njl_4z3_k3b

Re: Different IPSEC tunnel source within the same CryptoMap

Netnux — Fri, 06 Oct 2023 08:43:21 GMT

Thank you for your kind reply.
I'm not sure to understand your solution with a PBR.

However, my problem is that because of the command "crypto map TEST local-address Loopback 2", when I apply the crypto map to the interface the address of the peer will be updated and will always be 2.2.2.2, no matter what.
So, the rightmost router that will set a peer to 2.2.2.2 will work.
The router that wants to set an IPSEC tunnel with the peer 1.1.1.1 will never work.

Moreover, I cannot touch the rightmost routers.
I can manage only the router on the left

Could you please post a sample config snippet?

Thank you very much!

Re: Different IPSEC tunnel source within the same CryptoMap

gajownik — Fri, 06 Oct 2023 08:49:09 GMT

I would also recommend multi-SA VTI solution as crypto maps are much harder to troubleshoot, manage (it's quite easy to break other existing crypto map tunnels) and are not supported past IOS-XE 17.6:
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-xe-17/bulletin-c25-744830.html

Here are additional examples how to configure multi-SA VTI:
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/214728-configure-multi-sa-virtual-tunnel-interf.html
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-ipsec/white-paper-c11-744879.html

Re: Different IPSEC tunnel source within the same CryptoMap

Netnux — Fri, 06 Oct 2023 14:25:22 GMT

Thank you gajownik and tvotna
I know VTI is a solution, however I'm not building from scratch.
I cannot touch the rightmost routers, so I have to deal with crypto maps
Not so sure if I can have a VTI on one side (left) and a crypto map on the other side (right)

Thank you for your kind help

Re: Different IPSEC tunnel source within the same CryptoMap

gajownik — Fri, 06 Oct 2023 15:05:59 GMT

Yes, you can have one router with multi-SA VTI and the other one with a standard crypto map. In the migration guide this is explained in chapter "2.3 Migrate only router A to VTI – IKEv1"
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-ipsec/white-paper-c11-744879.html#23MigrateonlyrouterAtoVTIIKEv1

Re: Different IPSEC tunnel source within the same CryptoMap

Netnux — Sat, 07 Oct 2023 08:41:23 GMT

Sincerely, the production environment is far more complicated than what I represented here, with IPSEC tunnels and GRE tunnels going through different VRFs over an MPLS and so on... I don't know if it will be feasible to apply this "halfaway" config as a permanent solution, adding more complication, without being not disruptive for all the different services.
Surely it is a way I can evaluate.

THANK YOU for your precious help