Solucionado: VPN IPsec using loopback peer encaps and decaps only from router

pdasilva · ‎02-17-2023

I am setting up a site to site vpn between a checkpoint firewall and a cisco router, since the router has multiple wans using dynamic routing, I decided to use the loopback as a peer, the tunnel goes up to phase two, and I can make the traffic from the router come out encrypted, but the hosts that are on the same network cannot be encrypted tha pacekts from host are not encaps. When the traffic is initiated from the checkpoint the packets arrive at the router, they are decaps but the value of encaps does not increase

crypto isakmp policy 3382
encr aes 256
hash sha256
authentication pre-share
group 14
lifetime 1800
crypto isakmp key ^2f5%3edfBxO15BDS2g!M76&sr206k7G address 106.1.20.1
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set VPN_1 esp-aes 256 esp-sha256-hmac
mode transport
!
!
!
crypto map VPN_BBVA local-address Loopback3
crypto map VPN_BBVA 3382 ipsec-isakmp
set peer 106.1.20.1
set transform-set VPN_1
match address 110
!

.

interface Loopback3
description VPN
ip address 107.33.82.12 255.255.255.255
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
crypto map VPN_BBVA

interface GigabitEthernet0/0
description Conexion LAN
ip address 109.33.82.1 255.255.255.0
ip accounting output-packets
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in
load-interval 60
duplex auto
speed auto

access-list 110 permit ip 109.33.82.0 0.0.0.255 106.33.201.0 0.0.0.255
!
route-map nonat permit 10
match ip address VPN_NONAT
set ip next-hop 107.33.82.12

ip nat inside source route-map nonat interface Loopback3 overload

ip route 106.33.201.0 255.255.255.0 Loopback3

ip access-list extended VPN_NONAT
deny ip 109.33.82.0 0.0.0.255 106.33.201.0 0.0.0.255
permit ip 109.33.82.0 0.0.0.255 any

MHM Cisco World · ‎02-20-2023

hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key mhm address 150.0.0.3
!
!
crypto ipsec transform-set mhm esp-des
mode tunnel
!
!
!
crypto map mhm local-address Loopback0
crypto map mhm 10 ipsec-isakmp
set peer 150.0.0.3
set transform-set mhm
match address 100
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.0
duplex full
crypto map mhm
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 110.0.0.1 255.255.255.0
speed auto
duplex auto
crypto map mhm
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface Serial3/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/3
no ip address
shutdown
serial restart-delay 0
!
interface GigabitEthernet4/0
ip address 10.0.0.1 255.255.255.0
ip policy route-map mhm
negotiation auto
!
router ospf 100
network 1.1.1.1 0.0.0.0 area 0
network 100.0.0.0 0.0.0.255 area 0
network 110.0.0.0 0.0.0.255 area 0
!
router bgp 100
bgp log-neighbor-changes
network 10.0.0.0 mask 255.255.255.0
neighbor 150.0.0.3 remote-as 200
neighbor 150.0.0.3 ebgp-multihop 255
neighbor 150.0.0.3 update-source Loopback0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
!
route-map mhm permit 10
set interface Loopback0
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R1#

I do lab solve your issue
please take look about how I config IPsec using LO in one side.

NOTE:- you need BGP to override the routing issue of using LO

Ver la solución en mensaje original publicado

MHM Cisco World · ‎02-23-2023

You are so so welcome

Ver la solución en mensaje original publicado

MHM Cisco World · ‎02-17-2023

sorry but I see only one route toward Loopback ?

pdasilva · ‎02-17-2023

the route corresponds to the encryption domain on the checkpoint side, the loopback is known over the network using eigrp and ospf

MHM Cisco World · ‎02-17-2023

are the Checkpoint use LO as Peer IP ??

interface Loopback3
ip address 107.33.82.12 255.255.255.255
ip nat outside
crypto map VPN_BBVA

interface GigabitEthernet0/0
ip address 109.33.82.1 255.255.255.0
ip nat inside

access-list 110 permit ip 109.33.82.0 0.0.0.255 106.33.201.0 0.0.0.255 <- the interest traffic match the LAN subnet but you also use NAT ? why you use NAT ?

pdasilva · ‎02-20-2023

let me send a little diagram

pdasilva · ‎02-20-2023

MHM Cisco World · ‎02-20-2023

hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key mhm address 150.0.0.3
!
!
crypto ipsec transform-set mhm esp-des
mode tunnel
!
!
!
crypto map mhm local-address Loopback0
crypto map mhm 10 ipsec-isakmp
set peer 150.0.0.3
set transform-set mhm
match address 100
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.0
duplex full
crypto map mhm
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 110.0.0.1 255.255.255.0
speed auto
duplex auto
crypto map mhm
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface Serial3/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/3
no ip address
shutdown
serial restart-delay 0
!
interface GigabitEthernet4/0
ip address 10.0.0.1 255.255.255.0
ip policy route-map mhm
negotiation auto
!
router ospf 100
network 1.1.1.1 0.0.0.0 area 0
network 100.0.0.0 0.0.0.255 area 0
network 110.0.0.0 0.0.0.255 area 0
!
router bgp 100
bgp log-neighbor-changes
network 10.0.0.0 mask 255.255.255.0
neighbor 150.0.0.3 remote-as 200
neighbor 150.0.0.3 ebgp-multihop 255
neighbor 150.0.0.3 update-source Loopback0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
!
route-map mhm permit 10
set interface Loopback0
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R1#

I do lab solve your issue
please take look about how I config IPsec using LO in one side.

NOTE:- you need BGP to override the routing issue of using LO

pdasilva · ‎02-23-2023

Thank you very much, I will try to use this solution and I will tell you the results.

MHM Cisco World · ‎02-23-2023

You are so so welcome

MHM Cisco World · ‎02-27-2023

You are so so welcome