cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
858
Views
5
Helpful
8
Replies

Configure IPSEC with aggressive mode on C2901 using loopback IP for peering

matthewthw
Level 1
Level 1

Hi all

 

I am going to configure the IPSEC with aggressive mode on C2901,

 

and loopback IP is used for setting the IPSEC peering with the IPSEC Hub for routing the subnet on client end (10.1.1.0/24) to hub end (10.2.2.0/24)

 

sample configuration is below:

=====================================================

crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp keepalive 30 5
!
crypto isakmp peer address 192.168.1.2
set aggressive-mode password cisco123
set aggressive-mode client-endpoint ipv4-address 123.2.2.2
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 192.168.1.2
set transform-set myset
match address 100
!
!
int loopback 0
ip add 123.2.2.2 255.255.255.255
crypto map mymap
!
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0

!

!
interface Ethernet0/1
ip address 10.1.1.1 255.255.255.0

!
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
!

ip route 10.2.2.0 255.255.255.0 loopback 0

====================================================================

-Are there any issue on using loopback IP for building the IPSEC with Aggressive mode?

 

-I believe a static route with destination subnet to Hub end (10.2.2.0/24) should be set with next-hop to loopback interface to trigger the traffic from 10.1.1.0/24 to 10.2.2.0/24 route into the IPSEC tunnel,

am I correct?

 

Thanks.

 

Matthew

 

1 Accepted Solution

Accepted Solutions

Hi,

 

  All good, except the fact that the route for the remote protected network needs to point out the interface where crypto-map is applied in order to trigger the tunnel being build:

 

no ip route 10.2.2.0 255.255.255.0 loopback 0

ip route 10.2.2.0 255.255.255.0 Ethernet0 192.168.1.X (X is your next-hop)

 

Regards,

Cristian Matei.

View solution in original post

8 Replies 8

rais
Level 7
Level 7

For this lab, the remote IPSec peer is on the same subnet as Ethernet0/0?

Yes, you are correct,

 

they are in same subnet (192.168.1.0/24)

 

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

   The below configuration will work, but the command "set aggressive-mode client-endpoint ipv4-address 123.2.2.2" just sets the IKE ID, does not influence the IP address of the router used to terminate the tunnel

   The crypto map should be applied to the physical egress interface towards the other VPN gateway, and should be removed from the Loopback as it is ignored. If you want to terminate the VPN tunnel on the Loopback address instead of the IP address of the physical interface where crypto-map is applied (which is by default), you need to use the command "crypto map mymap local-address Loopback0".

 

Regards,

Cristian Matei.

Hi Cristian

 

If "crypto map mymap local-address Loopback0" is added in the configuration,

 

do I need to configure the "crypto map mymap" under loopback0 interface?

 

 

Thanks.

 

Matthew

Hi,

 

  As stated above, no. The crypto-map applied on the Loopback is ignored. Regardless if you ride the IPsec tunnel over the physical interface address (where the crypto map is applied) or on the Loopback (as you configured crypto map with local-address feature), the crypto map needs to be applied to the physical egress interface.

 

Regards,

Cristian Matei.

Hi Cristian

 

Is it correct for  the configuration should be revised as below for using loopback IP for building the IPSEC:

 

=====================================================

crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp keepalive 30 5
!
crypto isakmp peer address 192.168.1.2
set aggressive-mode password cisco123
set aggressive-mode client-endpoint ipv4-address 123.2.2.2
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 192.168.1.2
set transform-set myset
match address 100

 

crypto map mymap local-address Loopback0
!
int loopback 0
ip add 123.2.2.2 255.255.255.255

!
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0

crypto map mymap

!

!
interface Ethernet0/1
ip address 10.1.1.1 255.255.255.0

!
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
!

ip route 10.2.2.0 255.255.255.0 loopback 0

====================================================================

Hi,

 

  All good, except the fact that the route for the remote protected network needs to point out the interface where crypto-map is applied in order to trigger the tunnel being build:

 

no ip route 10.2.2.0 255.255.255.0 loopback 0

ip route 10.2.2.0 255.255.255.0 Ethernet0 192.168.1.X (X is your next-hop)

 

Regards,

Cristian Matei.

Hi Cristian

 

It works, 

 

thanks a lot.

 

Matthew

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco