07-21-2015 06:32 AM
Hello,
I have a setup as depicted below:
R1 and R2 are 3825 routers and both have a dynamic VPN setup on their external interface (Int1/1 and Int2/1 respectively) which works correctly.
(This serves remote administrative clients.)
We need to move the VPN entry point of R2 from Int2/1 to Int2/2 or to a Loopback interface, which also have a public IP address.
I've read that I can't setup "crypto map vpn" on a Loopback interface, so I am trying to move "crypto map vpn" to Int2/2, but it won't work.
I have confirmed that all affected ACLs allow the needed protocols (proto 50 and 51, and UDP 500).
Here is the working setup (from R2 and Int2/1):
crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 2 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp client configuration group ORG-VPN key *********************** dns 194.177.***.*** 194.177.***.*** pool adminips acl 160 ! crypto ipsec transform-set vpnc esp-3des esp-sha-hmac crypto ipsec transform-set vod1 esp-3des esp-md5-hmac ! crypto dynamic-map dynmap 100 set transform-set vpnc reverse-route ! crypto map vpn client authentication list default crypto map vpn isakmp authorization list vpn crypto map vpn client configuration address respond crypto map vpn 100 ipsec-isakmp dynamic dynmap ip local pool adminips 195.kkk.lll.217 195.kkk.lll.222 interface Int2/1 encapsulation dot1Q 500 ip address 62.xxx.xxx.107 255.255.255.254 ... ipv6 address 2001:648:xxxx:xxxx:2::2/126 ipv6 enable ... crypto map vpn
Why can't I just move crypto map vpn from Int2/1 to Int2/2?
What else should I do?
Please advise.
Thanks,
Nick
07-21-2015 11:17 PM
Hi,
For dynamic ipsec remote clients to work, you need to have default route pointing out the interface on which crypto map is applied (to send return traffic)
HTH
Abaji.
07-22-2015 04:14 AM
Hello Abaji,
Thank you for your reply.
I thought that the statement:
crypto dynamic-map dynmap 100
...
reverse-route
should take care or return routes.
Please be kind to clarify and/or point me to some doc / example on what you mean.
Thanks,
Nick
07-22-2015 05:13 PM
Hi Nick,
Reverse Route will be in effect after tunnel is established. For VPN to establish you need return route and for dynamic peers you need to add default route pointing through the interface as you don't know with what IP the peer would be coming in.
HTH
Abaji.
08-08-2015 09:25 AM
Can you please be more specific by suggesting changes on the above configuration?
Alternatively, can you please point me to an example or other online detailed documentation, where I can understand what I should do?
I am still totally clueless on how to move on.
Note: Clients could connect to the Loopback interface which is accessible through various possible routes, but I have read that I can't configure "crypto map vpn" on the Loopback interface. Is there a way to use the Loopback interface (configured with a public IP address) as vpn connection point?
Please advise.
Thanks,
Nick
08-09-2015 10:41 PM
OK, I found the solution in this thread:
I implemented the suggested configuration and it works fine.
Regards,
Nick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide