Dears,
I've spent two days figuring out how can I use the loopback interface as the tunnel endpoint. After lots of experiments, I could finally get it to work. However, I still don't understand how it completely works. I understand parts of the configuration but other parts I could not understand.
Here is the most important config for a loopback to function as VPN tunnel endpoint along with my humble technical explanation according to my understanding so far. I am not going to mention other config such as IKE/IPSec proposals, IPSec transform sets, interesting traffic ACL...,etc as you already familiar with. Please feel free to correct me if I am wrong.
"Apply crypto map on both the loopback interface and the Ethernet sub-interface. Since the loopback is a virtual interface, it cannot negotiate the tunnel. It's the job of the physical interface, which is the ethernet in my case because it's the actual WAN interface. Applying the map on both of them is crucial. Why I said that? Because if I remove the map off one of them, the tunnel won't negotiate"
!
Interface Loopback0
Ip address 42.x.x.x 255.255.255.255
Crypto map Mymap
!
Interface ethernet0.156
encapsulation dot1q 156
Ip address 10.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly in
Crypto map Mymap
"Because the public IP is defined in the loopback interface, it must be our VPN endpoint. To accomplish this, the following command is important to instruct the router to treat the loopback address as the VPN endpoint. Without it, the router will think that the endpoint address is the physical interface and the tunnel will never negotiate since the public IP is not defined in the physical interface. Why I said that? Because if you issue debug crypto ipsec, you will notice that the other peer will try to negotiate the tunnel with the 42.x.x.x on ethernet0.156 and it will tells you invalid local address."
Crypto map Mymap local-address Loopback0
"Again, the loopback is not a physical interface. It can't forward or route traffic. So, we need to reach the remote protected subnet in order to virtually forward traffic through the Ethernet interface. In that case, Ethernet uses the loopback as a gateway to reach the subnet in question. Why I said that? I really don't know. I am trying my best to explain it. But if you really remove this command, the ping won't work"
Ip route 192.168.0.0 255.255.248.0 Loopback99
"Finally, you will have to exempt the protected traffic from NAT on the loopback"
Ip nat inside source route-map nonat interface Loopback0 overload
!
Route-map permit 10
Match ip address 102
!
Access-list 102 deny ip 10.10.1.0 0.0.0.255 192.168.0.0 0.0.7.255
Access-list 102 permit ip 10.10.1.0 0.0.0.255 any
Thanks
