12-02-2010 03:00 AM
Good day!
Our border router connects to the ISP router with a p2p subnet. The IP address on our router connect interface can not be used for other services such as VPN. The provider filters all packets with this address set in an IP header. So we must use addresses from the other publically routed subnet. I understand we can place another router behind this border router and set its outside address as an address from this 'allowed' subnet. But we want to provide this service on the same border router. Is it possible? I tried to set the crypto map on a loopback interface and direct traffic to it for encryption.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key <pre-shared> address z.z.172.2 no-xauth
crypto ipsec transform-set TRANS1 esp-3des esp-sha-hmac
interface loopback0
description -= VPN Termination =-
ip address x.x.127.111 255.255.255.255
crypto map VPN
interface GigabitEthernet0/0.10
description -= ISP Gateway =-
encapsulation dot1Q 10
ip address y.y.122.203 255.255.255.248
interface GigabitEthernet0/0.20
description -= LAN =-
encapsulation dot1Q 20
ip address 192.168.10.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 y.y.122.201
ip route 192.168.100.0 255.255.255.0 loopback 0
I does not work. The packet does not get encrypted but simply routed to the ISP router.
Please, help.
Thanks.
Solved! Go to Solution.
12-03-2010 03:35 PM
Viktor,
I believe crypto map on loopback interface is still unsupported but I have not been following this in the past.
The way we do it, is apply the actul crypto map to physical/logical interface facing the ISP BUT you tweak the crypto map to use loopback as it's local address.
In your case it'd look like this:
crypto map VPN local-address loopback0
With this in place all everyone will think that tunnel is established with address assigned to loopback0 interface.
Hope this helps,
Marcin
12-03-2010 03:35 PM
Viktor,
I believe crypto map on loopback interface is still unsupported but I have not been following this in the past.
The way we do it, is apply the actul crypto map to physical/logical interface facing the ISP BUT you tweak the crypto map to use loopback as it's local address.
In your case it'd look like this:
crypto map VPN local-address loopback0
With this in place all everyone will think that tunnel is established with address assigned to loopback0 interface.
Hope this helps,
Marcin
12-06-2010 03:13 AM
Hello, collegues.
Thank you, Marcin. Your recommendation was useful. Really the router sends encrypted packets with its internal interface IP address in the header.
But there is one more difficulty. This router has a backup. And its internal interface is connected to another router interface by HSRP. And I want the router to send the packet with the HSRP group IP address, not with the physical interface's IP address. When I enter "crypto map test local-address" command I can submit only an interface, no IP address. Is there any solution for this case?
Thank you.
12-06-2010 05:47 AM
Viktor,
Now that's a bit of a different story.
You can have both routers using IP address of HSRP as described here:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml
interface FastEthernet0/0
ip address 172.16.172.52 255.255.255.240
duplex full
speed 100
standby 1 ip 172.16.172.53
standby 1 priority 200
standby 1 preempt
standby 1 name VPNHA
standby 1 track FastEthernet0/1 150
crypto map vpn redundancy VPNHA
However I have not seen a mix of this + local-address from loopback. It would require some lab testing and digging into documentation.
I'm not sure if I can find bandwidth for this right now.
Marcin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: