Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
531
Views
0
Helpful
5
Replies

Dynamic VPN on non-external interface

Nikolaos Milas
Level 1
Level 1

‎07-21-2015 06:32 AM

Hello,

I have a setup as depicted below:

R1 and R2 are 3825 routers and both have a dynamic VPN setup on their external interface (Int1/1 and Int2/1 respectively) which works correctly.

(This serves remote administrative clients.)

We need to move the VPN entry point of R2 from Int2/1 to Int2/2 or to a Loopback interface, which also have a public IP address.

I've read that I can't setup "crypto map vpn" on a Loopback interface, so I am trying to move "crypto map vpn" to Int2/2, but it won't work.

I have confirmed that all affected ACLs allow the needed protocols (proto 50 and 51, and UDP 500).

Here is the working setup (from R2 and Int2/1):

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2  
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group ORG-VPN
 key ***********************
 dns 194.177.***.*** 194.177.***.***
 pool adminips
 acl 160
!
crypto ipsec transform-set vpnc esp-3des esp-sha-hmac 
crypto ipsec transform-set vod1 esp-3des esp-md5-hmac 
!
crypto dynamic-map dynmap 100
 set transform-set vpnc 
 reverse-route
!
crypto map vpn client authentication list default
crypto map vpn isakmp authorization list vpn
crypto map vpn client configuration address respond
crypto map vpn 100 ipsec-isakmp dynamic dynmap 
 
ip local pool adminips 195.kkk.lll.217 195.kkk.lll.222

interface Int2/1
 encapsulation dot1Q 500
 ip address 62.xxx.xxx.107 255.255.255.254
 ...
 ipv6 address 2001:648:xxxx:xxxx:2::2/126
 ipv6 enable
 ...
 crypto map vpn

Why can't I just move crypto map vpn from Int2/1 to Int2/2?

What else should I do?

Please advise.

Thanks,
Nick

Labels:
0 Helpful
5 Replies 5

Abaji Rawool
Level 3
Level 3

‎07-21-2015 11:17 PM

Hi,

For dynamic ipsec remote clients to work, you need to have default route pointing out the interface on which crypto map is applied (to send return traffic)

HTH

Abaji.

0 Helpful

Nikolaos Milas
Level 1
Level 1
In response to Abaji Rawool

‎07-22-2015 04:14 AM

Hello Abaji,

Thank you for your reply.

I thought that the statement:

crypto dynamic-map dynmap 100
  ...
  reverse-route

should take care or return routes.

Please be kind to clarify and/or point me to some doc / example on what you mean.

Thanks,
Nick

0 Helpful

Abaji Rawool
Level 3
Level 3
In response to Nikolaos Milas

‎07-22-2015 05:13 PM

Hi Nick,

Reverse Route will be in effect after tunnel is established. For VPN to establish you need return route and for dynamic peers you need to add default route pointing through the interface as you don't know with what IP the peer would be coming in.

HTH

Abaji.

 

 

0 Helpful

Nikolaos Milas
Level 1
Level 1
In response to Abaji Rawool

‎08-08-2015 09:25 AM

Can you please be more specific by suggesting changes on the above configuration?

Alternatively, can you please point me to an example or other online detailed documentation, where I can understand what I should do?

I am still totally clueless on how to move on.

Note: Clients could connect to the Loopback interface which is accessible through various possible routes, but I have read that I can't configure "crypto map vpn" on the Loopback interface. Is there a way to use the Loopback interface (configured with a public IP address) as vpn connection point?

Please advise.

Thanks,
Nick

0 Helpful

Nikolaos Milas
Level 1
Level 1
In response to Nikolaos Milas

‎08-09-2015 10:41 PM

OK, I found the solution in this thread:

https://supportforums.cisco.com/discussion/11662871/cisco-easy-vpn-loopback-interface-static-ip-address-client

I implemented the suggested configuration and it works fine.

Regards,

Nick

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents