Thank you... That was helpful - Page 2

akpandey79 · ‎05-07-2010

Hi,

Can we have multiple crypto map on cisco routers using loopback addresses? We need this implementation because we have redundant paths andwant to split subnets by using separate cryto map for each subnets and PSEC to be always up even if one of the link fails.

Thanks.

Akhilesh

Javier Portuguez · ‎03-18-2013

Hi Mitra,

I can see that you already have an answer for what you asked, but just to add my two cents here:

A crypto map is not supported on a Loopback, if you would like to use it as your VPN endpoint, then check this option:

crypto map local-address

HTH.

Portu.

Petar Bajovic · ‎06-26-2014

I just have issue with this kind of problem. Just to be sure: You are saying that Loopback interface can not support crypto map on it? There must be "crypto map" command on a physical interface? Am I right? Is this correct?

Thank you.

Petar

tharaka3000 · ‎10-31-2017

can you please tell me what was changed?

In my case I need to have many IPSec VPNs and I though Loopback can be used as the source peer IP. But now I'm seeing that traffic can't be routed through the Loopback IP and that's the reason the tunnel is not coming up. Is there a way to do this?

mitra dray · ‎06-26-2014

I think specifically i had some restrictions when i tried to perform that with an ASR and ended having the crypto on the egress interfaces .

what i did was using two routers where the tunnels were in a vrf rib .

i needed to add a vrf static route for the destination networks through the global ip next hop .

thats what suited my needs .

Petar Bajovic · ‎06-26-2014

I did not get this. Could you explain it to me further. Or send some conf file, or copy your configuration here... That is the easiest way that I can think...

Thank you.

Petar

mitra dray · ‎06-26-2014

hope this would assist .
interface Loopback1
description ### LOOPBACK IPSEC ###
ip address 95.95.95.1 255.255.255.255

crypto keyring KEYS-HOSTING-SJ
local-address 95.95.95.1
pre-shared-key address 63.63.63.1 key Re*kup#ha4Ha

crypto isakmp profile ISAKMP-HOSTING-SJ
vrf VPN
keyring KEYS-HOSTING-SJ
match identity address 63.63.63.1 255.255.255.255

crypto ipsec transform-set TRANS_SET-HOSTING-SJ esp-aes esp-sha-hmac
mode tunnel

crypto isakmp policy 9
encr aes
authentication pre-share
group 2
lifetime 28800
!

crypto map VPN_GENERIC-S2S 20 ipsec-isakmp
description ### VPN S2S HOSTING-SJ ASA ###
set peer 63.63.63.1
set transform-set TRANS_SET-HOSTING-SJ
set pfs group2
set isakmp-profile ISAKMP-HOSTING-SJ
match address IPSEC-VPN-ACL_HOSTING-SJ

ip access-list extended IPSEC-VPN-ACL_HOSTING-SJ
permit ip 10.23.0.0 0.0.255.255 10.10.2.0 0.0.0.255

ip route vrf VPN 10.10.2.0 255.255.255.0 208.208.208.202 track 102 name SLA102-VPN_TU_US-SJWC-PROXY-SUBNET-NH-GLOBAL-ISP-1

ip sla 102
icmp-echo 63.63.63.1 source-ip 95.95.95.1
tag VPN-TRACK-ROUTE102-TO-HOSTING-SJ
threshold 3000
frequency 5
ip sla schedule 102 life forever start-time now

ip sla reaction-configuration 102 react timeout threshold-type xOfy 2 5 action-type trapOnly

interface GigabitEthernet0/0/0
description ##### ISP : CROSS CONNECT 1 TO ISP-1 ###
ip address 208.208.208.201 255.255.255.252
ip flow ingress
load-interval 30
negotiation auto
crypto map VPN_GENERIC-S2S

once the tracking fails , the other router has the route in its routing table and it takes its place .

Petar Bajovic · ‎06-26-2014

Thank you... That was helpful...

Sincerely,

Petar

mitra dray · ‎06-26-2014

tell and pls rate if its working for ya :)

Petar Bajovic · ‎06-26-2014

It does not work for me, but I manage to find out why (based on your reply)... Crypto map has to be on physical interface... I tryed to put crypto map under loopback interface, but that does not work... I suspected that could be a problem, and your case convinced me...

Sincerely,

Petar

IPSec (crypto map) on loopback ??