cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1693
Views
15
Helpful
7
Replies

Testing IPSEC Tunnels using Loopback

Mikey John
Level 1
Level 1

ello,

 

I need to test an IPSEC tunnel between two Cisco ASR routers. I do not have any source and destination subnets to put into my Crypto ACL yet as this is still a test environment. So, I plan to use the loopback on one end, and the LAN interface of the router at the other end as subnets which would be on the crypto ACL. My intention is to ping between these two subnets to generate the interesting traffic and bring up the tunnel.

 

From what I know, the way the IOS works is it asks the Crypto map needs to be defined on the outside interface which the router would use to forward the packets. So, in this scenario, it should logically work, right?

 

I have attached a sample diagram for your reference. Please let me know if this sounds right?


Cheers
Mikey

7 Replies 7

Hello,

 

the crypto ACLs do not look right. The ACL needs to specify local networks, not the WAN interfaces. The configs should look something like below:

 

ASR_LEFT

 

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key cryptokey address 6.6.6.6
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
crypto map CMAP 10 ipsec-isakmp
set peer 6.6.6.6
set transform-set TS
match address VPN-TRAFFIC
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface GigabitEthernet0/0
description WAN interface
ip address 5.5.5.5 255.255.255.248
crypto map CMAP
!
ip access-list extended VPN-TRAFFIC
permit ip 3.3.3.3 0.0.0.0 4.4.4.4 0.0.0.0

 

ASR_RIGHT

 

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key cryptokey address 5.5.5.5
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
crypto map CMAP 10 ipsec-isakmp
set peer 5.5.5.5
set transform-set TS
match address VPN-TRAFFIC
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
interface GigabitEthernet0/0
description WAN interface
ip address 6.6.6.6 255.255.255.192
crypto map CMAP
!
ip access-list extended VPN-TRAFFIC
permit ip 4.4.4.4 0.0.0.0 3.3.3.3 0.0.0.0

Thanks George. So, does Crypto endpoint and peer mean the same? If yes, the ASR 2 has Looback configured as crypto endpoint for other existing tunnels. So, If I use the same loopback as "peer address" for ASR_LEFT, can I still use the crypto ACL like you defined?

 

ASR_LEFT

==========

ip access-list extended VPN-TRAFFIC
permit ip 3.3.3.3 0.0.0.0 4.4.4.4 0.0.0.0

 

ASR_RIGHT

==========

ip access-list extended VPN-TRAFFIC
permit ip 4.4.4.4 0.0.0.0 3.3.3.3 0.0.0.0

 

 

Thanks

Mikey

 

Hello,

 

not sure I understand what you are testing, actually. The endpoints need to be reachable, so they typically are not encrypted. If you want to test/simulate local traffic, use loopbacks that are different from any WAN IP address...

Thanks George. You already answered my first query - We can use loopback to simulate traffic and test out the IPSEC tunnel.

 

I just needed to know if the loopback on the other end is used for Tunnel termination, can I still have that loopback in my encryption ACL?

 

Thanks

Mikey

Hello,

 

that should work. Loopbacks are trypically local (with private IP addresses), so for testing, you should be okay.

Great, thanks George.

Mikey asks "I just needed to know if the loopback on the other end is used for Tunnel termination, can I still have that loopback in my encryption ACL?". As Georg has explained the address used to terminate the vpn tunnel is usually not encrypted and so would not be part of the encryption ACL. As shown in the diagram the tunnel destination would be the IP address on interface G0/0/0 and that would not be part of the ACL. The ACL would specify the IP address of the loopbacks as source and as destination. And in testing any traffic would use the loopback addresses as source and as destination.

 

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: