10-05-2023 05:03 AM
Hello.
I have an IOS Router with a single outbound link, terminating more than one IPSEC tunnel.
I'd want some of the tunnels to be terminated on a loopback interface, and some other on the outside interface itself
Currently, I have a single crypto map applied to the outboud interface (eth 0/0.2 in the diagram below)
All the tunnels having 2.2.2.2 as a peer work, but the others terminating on the loopback interface do not.
If I use "local-address Loopback 2" command, all the tunnels terminating on the loopback 2 interface will work, but all the other tunnels terminating on the outside interface will stop working, of course.
Is there a way to have both the tunnels working, let's say, configuring a different local-address for each entry of the crypto map?
I put below a snippet of the config ed a brief diagram.
Thank you very much for your help
crypto isakmp profile PF_TEST_10
keyring KR-TEST
match identity address 3.3.3.3 255.255.255.255
crypto isakmp profile PF_TEST_20
keyring KR-TEST
match identity address 4.4.4.4 255.255.255.255
crypto map TEST local-address Loopback 2
crypto map TEST 10 ipsec-isakmp
set peer 3.3.3.3
set security-association lifetime seconds 86400
set transform-set TEST_TS
set pfs group2
set isakmp-profile PF_TEST_10
match address ACL_TEST_10
qos pre-classify
crypto map TEST 20 ipsec-isakmp
set peer 4.4.4.4
set security-association lifetime seconds 86400
set transform-set TEST_TS
set pfs group2
set isakmp-profile PF_TEST_20
match address ACL_TEST_20
Solved! Go to Solution.
10-06-2023 08:05 AM
Yes, you can have one router with multi-SA VTI and the other one with a standard crypto map. In the migration guide this is explained in chapter "2.3 Migrate only router A to VTI – IKEv1"
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-ipsec/white-paper-c11-744879.html#23MigrateonlyrouterAtoVTIIKEv1
10-05-2023 07:51 AM
The LO can use as VPN' but issue here is forwarding traffic to LO to encrypt and decrypt.
You need to config PBR in outisde and Inside to forward traffic to/from via LO.
10-06-2023 01:43 AM
Thank you for your kind reply.
I'm not sure to understand your solution with a PBR.
However, my problem is that because of the command "crypto map TEST local-address Loopback 2", when I apply the crypto map to the interface the address of the peer will be updated and will always be 2.2.2.2, no matter what.
So, the rightmost router that will set a peer to 2.2.2.2 will work.
The router that wants to set an IPSEC tunnel with the peer 1.1.1.1 will never work.
Moreover, I cannot touch the rightmost routers.
I can manage only the router on the left
Could you please post a sample config snippet?
Thank you very much!
10-05-2023 08:02 AM
You can use Multi-SA SVTI feature, i.e. replace crypto maps with tunnel interfaces and configure "tunnel protection ipsec policy ipv4 <ACL>" to negotiate specific subnets you need. The "reverse-route" CLI in the IPsec profile will add routes automatically via tunnel interfaces and you can source each tunnel from a different IP address. And you need to do this only on the headend device. Peers can continue using crypto maps.
10-06-2023 01:49 AM
I would also recommend multi-SA VTI solution as crypto maps are much harder to troubleshoot, manage (it's quite easy to break other existing crypto map tunnels) and are not supported past IOS-XE 17.6:
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-xe-17/bulletin-c25-744830.html
Here are additional examples how to configure multi-SA VTI:
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/214728-configure-multi-sa-virtual-tunnel-interf.html
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-ipsec/white-paper-c11-744879.html
10-06-2023 07:25 AM
Thank you gajownik and tvotna
I know VTI is a solution, however I'm not building from scratch.
I cannot touch the rightmost routers, so I have to deal with crypto maps
Not so sure if I can have a VTI on one side (left) and a crypto map on the other side (right)
Thank you for your kind help
10-06-2023 08:05 AM
Yes, you can have one router with multi-SA VTI and the other one with a standard crypto map. In the migration guide this is explained in chapter "2.3 Migrate only router A to VTI – IKEv1"
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-ipsec/white-paper-c11-744879.html#23MigrateonlyrouterAtoVTIIKEv1
10-07-2023 01:41 AM
Sincerely, the production environment is far more complicated than what I represented here, with IPSEC tunnels and GRE tunnels going through different VRFs over an MPLS and so on... I don't know if it will be feasible to apply this "halfaway" config as a permanent solution, adding more complication, without being not disruptive for all the different services.
Surely it is a way I can evaluate.
THANK YOU for your precious help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide