Solved: Re: GETVPN Crypto Map on loopback

Ali Koussan · ‎01-13-2013

HI ,

We have 6 WAN routers connected through ISP MPLS cloud , we need to implement GET VPN between these WAN routers.

We have 2 Key servers (1800 routers) , and the WAN routers will act as Group Members (6 GMs)

The attached configuration files are for working configuration for typical GETVPN (crypto map applied on WAN interface)

In Key server configuration , the crypto isakmp command is using the WAN interface IP address of each WAN router (172.16.x.x) , and since that the KS routers are connected to local backbone (VSS) , they should be able to reach 172.16.X.X , and therefore the subnet 172.16.X.X is advertised to the local network (check GM configuration file under eigrp - redist connected )

This is what our customer want to avoid ! they do not want 172.16.X.X to be advertised to the local network .

I know It is possible in GETVPN configuration to configure ,the crypto isakmp command to use loopback address's of the WAN routers instead of the WAN IP , but in this case the crypto map must be applied to the loopback address , and this requires all traffic to be encrypted and decrypted to go through the loopback interfaces on all WAN routers .

i was wondering what is the best solution for this case , I though to use the below config on the GM's

crypto map local-address loopback 0

route-map TEST permit 10

set interface Loopback0

ip local policy route-map TEST

But I'm not sure if this is correct or maybe there is a better idea .. so I thought to share it with you guys to discuss any better ideas.

Marcin Latosiewicz · ‎01-13-2013

Ali,

We do not support crypto maps on loopback interfaces.

Use crypto map local-address (in case of vanilla IPsec) and/or client registration interface (although this one is for a different use) command under gdoi to specifcy which inetrface and/or VRF you would like to source registration from/receive rekey on.

You can have a look at DIG:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps9370/ps7180/GETVPN_DIG_version_1_0_External.pdf

section 4.2.1.2.3 and other will discuss this.

M.

View solution in original post

Marcin Latosiewicz · ‎01-14-2013

Ali,

What crypto map is achieving is to identify where crypto packets are coming through - physically (so to speak). While local-address is specifcying which address should be use for IKE/ESP source IP.

Local-address in your case would work fine as far as I understand (i.e. local-address loopback, but crypto map appled on physical).

Is there a requirement I'm missing?

M.

View solution in original post

Marcin Latosiewicz · ‎01-14-2013

Ali,

You're not even getting to the identity.

*Mar 1 00:41:59.159: ISAKMP:(0):no offers accepted!

*Mar 1 00:41:59.159: ISAKMP:(0): phase 1 SA policy not acceptable! (local 10.40.247.120 remote 10.40.247.110)

You don't have a matching isakmp policy on both sides.

M.

View solution in original post

Marcin Latosiewicz · ‎01-13-2013

Ali,

We do not support crypto maps on loopback interfaces.

Use crypto map local-address (in case of vanilla IPsec) and/or client registration interface (although this one is for a different use) command under gdoi to specifcy which inetrface and/or VRF you would like to source registration from/receive rekey on.

You can have a look at DIG:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps9370/ps7180/GETVPN_DIG_version_1_0_External.pdf

section 4.2.1.2.3 and other will discuss this.

M.

Ali Koussan · ‎01-13-2013

Hi Marcin,

Thanks for the answer , I have gone through the guide and I understood the use of crypto map local-address

So, what I was looking for can not be achieved , the crypto map must be applied on the physical interface facing the WAN network (or facing the WAN Router if the GM is not directly connected to WAN). and the crypto isakmp on the KS should point to the GM WAN interface .

can you please point me to the part of the design guide where it is mentioned that the crypto map is not supported on the loopback ? this is only just to show it to my client .

Thanks once again for you help Marcin.

olpeleri · ‎01-13-2013

Hello,

Here we go:

http://www.cisco.com/en/US/partner/docs/ios/12_3/security/command/reference/sec_c2g.html#wp1073142

"Note:

A crypto map applied to loopback interface is not supported.

"

Regards.

Ali Koussan · ‎01-14-2013

thanks alot olpeleri ..

Marcin Latosiewicz · ‎01-14-2013

Ali,

What crypto map is achieving is to identify where crypto packets are coming through - physically (so to speak). While local-address is specifcying which address should be use for IKE/ESP source IP.

Local-address in your case would work fine as far as I understand (i.e. local-address loopback, but crypto map appled on physical).

Is there a requirement I'm missing?

M.

Ali Koussan · ‎01-14-2013

hi macin,

if i apply the crypto map on physical interface of GM then in KS i have to use the GM WAN ip in the"

crypto isakmp key xxxxx address 172.16.X.X "command which I was trying to avoid , because in this case the WAN IP should be advertise to the local network so that KS can reach it .

so I do not think It is going to work with only "local-address loopback" , anyway i will try it in the lab to see what happens in this case.

I hope you got what i was trying to do and thanks for your help once again

Marcin Latosiewicz · ‎01-14-2013

Ali,

Enabling local-address on crypto map has two-fold effect.

1) We will use this address as source of our IKE and IPsec communication.

2) If isakmp identity is set to address we will use address sepcified by local-address as IKE identity.

i.e. it's this filed (IKE ID) that you match against in keyrings (including the default) on responder side.

M.

Ali Koussan · ‎01-14-2013

Hi Macin ,

I tried that in the lab , the GETVPN will not come up if I only use " local-address loopback" while applying the crypto map on the WAN interface of the GM.

So, I think it can not be done with the loopback since that I can not apply the crypto map on the loopback .....

Marcin Latosiewicz · ‎01-14-2013

Ali,

How did it fail exactly?

can you share "debug crypto isakmp" from both sides?

M.

Ali Koussan · ‎01-14-2013

Hi Marcin

Attached is the configuration of the KS and two GMs

please note on the KS configuration :

crypto isakmp key amn123 address 10.40.247.110

crypto isakmp key amn123 address 10.150.247.102

10.40.247.110 & 10.150.247.102 are loopback of the GMs and this is what I want ...

also check the debug crypto iskmp from KS and GMs side.

Marcin Latosiewicz · ‎01-14-2013

Ali,

You're not even getting to the identity.

*Mar 1 00:41:59.159: ISAKMP:(0):no offers accepted!

*Mar 1 00:41:59.159: ISAKMP:(0): phase 1 SA policy not acceptable! (local 10.40.247.120 remote 10.40.247.110)

You don't have a matching isakmp policy on both sides.

M.

Ali Koussan · ‎01-14-2013

hi Marcin

Sorry for that , in my original test with loopback I was not missing the iskmp policy config , but when I did the configuration again for the sake of debug I removed the policy and paste it again , it seems that it missed IKE phase 1 part ...

I will correct that and do the test and debug again ..

Sent from Cisco Technical Support iPhone App

Ali Koussan · ‎01-14-2013

Hi Marcin,

I tried it again , and looks working !!! except the rekeying ..

Please check the debug & show commands from KS & GMs .

Ali Koussan · ‎01-15-2013

Hi Marcin
Rekeying is working now , I just re-generate the key on KS and I did some changes on the ACL to force the rekey

Thanks Marcin for the great help.

Ali

Sent from Cisco Technical Support iPad App