Solved: 3945 site-to-site VPN termination not on p2p connect interface

SuperVitya · ‎12-02-2010

Good day!

Our border router connects to the ISP router with a p2p subnet. The IP address on our router connect interface can not be used for other services such as VPN. The provider filters all packets with this address set in an IP header. So we must use addresses from the other publically routed subnet. I understand we can place another router behind this border router and set its outside address as an address from this 'allowed' subnet. But we want to provide this service on the same border router. Is it possible? I tried to set the crypto map on a loopback interface and direct traffic to it for encryption.

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key <pre-shared> address z.z.172.2 no-xauth

crypto ipsec transform-set TRANS1 esp-3des esp-sha-hmac

crypto map VPN 10 ipsec-isakmp

set peer z.z.172.2

set transform-set TRANS1

match address CRYPTO_ACL

interface loopback0

description -= VPN Termination =-

ip address x.x.127.111 255.255.255.255

crypto map VPN

interface GigabitEthernet0/0.10

description -= ISP Gateway =-

encapsulation dot1Q 10

ip address y.y.122.203 255.255.255.248

interface GigabitEthernet0/0.20

description -= LAN =-

encapsulation dot1Q 20

ip address 192.168.10.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 y.y.122.201

ip route 192.168.100.0 255.255.255.0 loopback 0

ip access-list extended CRYPTO_ACL

permit ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255

I does not work. The packet does not get encrypted but simply routed to the ISP router.

Please, help.

Thanks.

Marcin Latosiewicz · ‎12-03-2010

Viktor,

I believe crypto map on loopback interface is still unsupported but I have not been following this in the past.

The way we do it, is apply the actul crypto map to physical/logical interface facing the ISP BUT you tweak the crypto map to use loopback as it's local address.

In your case it'd look like this:

crypto map VPN local-address loopback0

With this in place all everyone will think that tunnel is established with address assigned to loopback0 interface.

Hope this helps,

Marcin

View solution in original post

Marcin Latosiewicz · ‎12-03-2010

Viktor,

I believe crypto map on loopback interface is still unsupported but I have not been following this in the past.

The way we do it, is apply the actul crypto map to physical/logical interface facing the ISP BUT you tweak the crypto map to use loopback as it's local address.

In your case it'd look like this:

crypto map VPN local-address loopback0

With this in place all everyone will think that tunnel is established with address assigned to loopback0 interface.

Hope this helps,

Marcin

SuperVitya · ‎12-06-2010

Hello, collegues.

Thank you, Marcin. Your recommendation was useful. Really the router sends encrypted packets with its internal interface IP address in the header.

But there is one more difficulty. This router has a backup. And its internal interface is connected to another router interface by HSRP. And I want the router to send the packet with the HSRP group IP address, not with the physical interface's IP address. When I enter "crypto map test local-address" command I can submit only an interface, no IP address. Is there any solution for this case?

Thank you.

Marcin Latosiewicz · ‎12-06-2010

Viktor,

Now that's a bit of a different story.

You can have both routers using IP address of HSRP as described here:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml

interface FastEthernet0/0
ip address 172.16.172.52 255.255.255.240
duplex full
speed 100
standby 1 ip 172.16.172.53
standby 1 priority 200
standby 1 preempt
standby 1 name VPNHA
standby 1 track FastEthernet0/1 150
crypto map vpn redundancy VPNHA

However I have not seen a mix of this + local-address from loopback. It would require some lab testing and digging into documentation.

I'm not sure if I can find bandwidth for this right now.

Marcin