01-13-2013 12:38 AM - edited 02-21-2020 06:37 PM
HI ,
We have 6 WAN routers connected through ISP MPLS cloud , we need to implement GET VPN between these WAN routers.
We have 2 Key servers (1800 routers) , and the WAN routers will act as Group Members (6 GMs)
The attached configuration files are for working configuration for typical GETVPN (crypto map applied on WAN interface)
In Key server configuration , the crypto isakmp command is using the WAN interface IP address of each WAN router (172.16.x.x) , and since that the KS routers are connected to local backbone (VSS) , they should be able to reach 172.16.X.X , and therefore the subnet 172.16.X.X is advertised to the local network (check GM configuration file under eigrp - redist connected )
This is what our customer want to avoid ! they do not want 172.16.X.X to be advertised to the local network .
I know It is possible in GETVPN configuration to configure ,the crypto isakmp command to use loopback address's of the WAN routers instead of the WAN IP , but in this case the crypto map must be applied to the loopback address , and this requires all traffic to be encrypted and decrypted to go through the loopback interfaces on all WAN routers .
i was wondering what is the best solution for this case , I though to use the below config on the GM's
crypto map local-address loopback 0
route-map TEST permit 10
set interface Loopback0
ip local policy route-map TEST
But I'm not sure if this is correct or maybe there is a better idea .. so I thought to share it with you guys to discuss any better ideas.
Solved! Go to Solution.
01-13-2013 04:26 AM
Ali,
We do not support crypto maps on loopback interfaces.
Use crypto map local-address (in case of vanilla IPsec) and/or client registration interface (although this one is for a different use) command under gdoi to specifcy which inetrface and/or VRF you would like to source registration from/receive rekey on.
You can have a look at DIG:
section 4.2.1.2.3 and other will discuss this.
M.
01-14-2013 12:55 AM
Ali,
What crypto map is achieving is to identify where crypto packets are coming through - physically (so to speak). While local-address is specifcying which address should be use for IKE/ESP source IP.
Local-address in your case would work fine as far as I understand (i.e. local-address loopback, but crypto map appled on physical).
Is there a requirement I'm missing?
M.
01-14-2013 08:19 AM
Ali,
You're not even getting to the identity.
*Mar 1 00:41:59.159: ISAKMP:(0):no offers accepted!
*Mar 1 00:41:59.159: ISAKMP:(0): phase 1 SA policy not acceptable! (local 10.40.247.120 remote 10.40.247.110)
You don't have a matching isakmp policy on both sides.
M.
01-13-2013 04:26 AM
Ali,
We do not support crypto maps on loopback interfaces.
Use crypto map local-address (in case of vanilla IPsec) and/or client registration interface (although this one is for a different use) command under gdoi to specifcy which inetrface and/or VRF you would like to source registration from/receive rekey on.
You can have a look at DIG:
section 4.2.1.2.3 and other will discuss this.
M.
01-13-2013 07:07 AM
Hi Marcin,
Thanks for the answer , I have gone through the guide and I understood the use of crypto map local-address
So, what I was looking for can not be achieved , the crypto map must be applied on the physical interface facing the WAN network (or facing the WAN Router if the GM is not directly connected to WAN). and the crypto isakmp on the KS should point to the GM WAN interface .
can you please point me to the part of the design guide where it is mentioned that the crypto map is not supported on the loopback ? this is only just to show it to my client .
Thanks once again for you help Marcin.
01-13-2013 11:28 PM
Hello,
Here we go:
http://www.cisco.com/en/US/partner/docs/ios/12_3/security/command/reference/sec_c2g.html#wp1073142
"Note:
A crypto map applied to loopback interface is not supported.
"
Regards.
01-14-2013 03:17 AM
thanks alot olpeleri ..
01-14-2013 12:55 AM
Ali,
What crypto map is achieving is to identify where crypto packets are coming through - physically (so to speak). While local-address is specifcying which address should be use for IKE/ESP source IP.
Local-address in your case would work fine as far as I understand (i.e. local-address loopback, but crypto map appled on physical).
Is there a requirement I'm missing?
M.
01-14-2013 03:30 AM
hi macin,
if i apply the crypto map on physical interface of GM then in KS i have to use the GM WAN ip in the"
crypto isakmp key xxxxx address 172.16.X.X "command which I was trying to avoid , because in this case the WAN IP should be advertise to the local network so that KS can reach it .
so I do not think It is going to work with only "local-address loopback" , anyway i will try it in the lab to see what happens in this case.
I hope you got what i was trying to do and thanks for your help once again
01-14-2013 03:53 AM
Ali,
Enabling local-address on crypto map has two-fold effect.
1) We will use this address as source of our IKE and IPsec communication.
2) If isakmp identity is set to address we will use address sepcified by local-address as IKE identity.
i.e. it's this filed (IKE ID) that you match against in keyrings (including the default) on responder side.
M.
01-14-2013 03:59 AM
Hi Macin ,
I tried that in the lab , the GETVPN will not come up if I only use " local-address loopback" while applying the crypto map on the WAN interface of the GM.
So, I think it can not be done with the loopback since that I can not apply the crypto map on the loopback .....
01-14-2013 04:07 AM
Ali,
How did it fail exactly?
can you share "debug crypto isakmp" from both sides?
M.
01-14-2013 08:06 AM
Hi Marcin
Attached is the configuration of the KS and two GMs
please note on the KS configuration :
crypto isakmp key amn123 address 10.40.247.110
crypto isakmp key amn123 address 10.150.247.102
10.40.247.110 & 10.150.247.102 are loopback of the GMs and this is what I want ...
also check the debug crypto iskmp from KS and GMs side.
01-14-2013 08:19 AM
Ali,
You're not even getting to the identity.
*Mar 1 00:41:59.159: ISAKMP:(0):no offers accepted!
*Mar 1 00:41:59.159: ISAKMP:(0): phase 1 SA policy not acceptable! (local 10.40.247.120 remote 10.40.247.110)
You don't have a matching isakmp policy on both sides.
M.
01-14-2013 08:36 AM
hi Marcin
Sorry for that , in my original test with loopback I was not missing the iskmp policy config , but when I did the configuration again for the sake of debug I removed the policy and paste it again , it seems that it missed IKE phase 1 part ...
I will correct that and do the test and debug again ..
Sent from Cisco Technical Support iPhone App
01-14-2013 10:30 PM
01-15-2013 09:31 AM
Hi Marcin
Rekeying is working now , I just re-generate the key on KS and I did some changes on the ACL to force the rekey
Thanks Marcin for the great help.
Ali
Sent from Cisco Technical Support iPad App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: