05-07-2010 12:24 PM - edited 02-21-2020 04:38 PM
Hi,
Can we have multiple crypto map on cisco routers using loopback addresses? We need this implementation because we have redundant paths andwant to split subnets by using separate cryto map for each subnets and PSEC to be always up even if one of the link fails.
Thanks.
Akhilesh
05-07-2010 12:33 PM
Hi,
I've never done it, but I think that you should be able to do it as long as the loopback has a routable IP and is accesible from the VPN peers.
The restriction is that you cannot have multiple crypto maps applied to a single interface.
Federico.
05-07-2010 01:05 PM
Hi Federico,
I tried to simulate same on Cisco 3845 router by creating loopback interface and applied one crypto map to one of physical interface (connected to outside) IPSec works fine.
When i tried to apply crypto map on loopback interface tunnel is getting established (checked by -show crypto isakmp sa command) but no traffic is moving via tunnel (show crypto ipsec sa) and i tried to route traffic via loopback interface by configuring default root also.
So can you suggest if some other commands are required.
Thanks.
Akhilesh.
05-12-2010 09:35 AM
My understanding the loopback is used by the crypto map for the router to identity itself to ipsec peers and used for SA (used as the local address for IPSEC (and IKE) traffic originating from or destined to the interface) not for routing traffic!! The interfaces the crypto map is applied should take care of that!.
Francisco
06-26-2014 04:16 AM
I think specifically i had some restrictions when i tried to perform that with an ASR and ended having the crypto on the egress interfaces .
what i did was using two routers where the tunnels were in a vrf rib .
i needed to add a vrf static route for the destination networks through the global ip next hop .
thats what suited my needs .
05-12-2010 12:27 AM
Sorry for interupting, but Akhilesh can you show working config ? I trying to do same thing, create Access VPN on loopback interface. If I apply crypto map on loopback VPN established but data do not flow, if I apply crypto map on outside interface, VPN is not established.
05-12-2010 08:38 AM
Yes,
As suggested please post the configuration because if you terminate the VPN on a loopback, in order for traffic to flow through the tunnel, the traffic should flow between the outside and inside interfaces (but going through the loopback as well).
Federico.
05-12-2010 11:28 AM
Francisco,
Agree 100%
What I'm saying is that if the loopback interface is configured incorrectly, the traffic might not be passing through.
The loopback does not route any traffic (we are clear), but the loopback has its own configuration that might affect the traffic.
Anyway, the intention is to check the configuration for any possible problem.
Federico.
05-13-2010 04:40 AM
Hey Federico,
yes you are right if the loopback interface is configured incorrectly, then the traffic might not be passing through properly...
Francisco.
05-10-2011 01:25 AM
hi,
i'm having the same issue but with me, if a move the crypto map to the fa interface which is set to dhcp cos this is a lab, the tunnel establishes and i can ping across to the fa0/1, lo0 interface.
attached is the config to the lo interface, the tunnels establishes but no traffic goes over.
please help
05-10-2011 01:51 AM
not sure why it zipped the file,
hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 4096
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 15
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
username cisco privilege 15 password 0 cisco
!
redundancy
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient
key cisco123
dns 10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippool
acl 100
crypto isakmp profile ISAKMP_PROFILE_EZVPN
vrf global
match identity group vpnclient
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
client configuration group vpnclient
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto ipsec profile IPSEC_PROFILE_EZVPN
set transform-set myset
set isakmp-profile ISAKMP_PROFILE_EZVPN
!
!
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile ISAKMP_PROFILE_EZVPN
reverse-route
!
!
crypto map clientmap local-address Loopback0
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
interface Loopback0
ip address 192.168.4.22 255.255.255.255
crypto map clientmap
!
interface Loopback1
ip address 192.168.10.252 255.255.255.0
!
interface FastEthernet0/0
ip address dhcp
duplex full
speed auto
!
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE_EZVPN
!
ip local pool ippool 192.168.1.1 192.168.1.254
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
logging esm config
access-list 100 permit ip any 192.168.10.0 0.0.0.255
access-list 100 permit ip any 10.10.10.0 0.0.0.255
!
!
!
!
route-map test permit 10
set ip next-hop 10.10.10.1 10.10.10.2
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
transport input all
!
scheduler allocate 20000 1000
end
the router is doing the auth also. And i am using the cisco vpn client to connect to the router.
05-10-2011 01:54 AM
not to worry, had another look and fixed the problem.
03-18-2013 02:30 AM
which was ?
can you please post the working config ?
03-18-2013 02:39 AM
you are lucky i still have this ... lol ...
here you go, oh and the VRF part also works.
Router#sh run
Building configuration...
Current configuration : 2978 bytes
!
! Last configuration change at 09:38:43 UTC Tue May 10 2011 by cisco
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 4096
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 15
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
ip vrf VRF_EZVPN
rd 36968:2
route-target export 36968:2
route-target import 36968:2
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
username cisco privilege 15 password 0 cisco
!
redundancy
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient
key cisco123
dns 10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippool
crypto isakmp profile ISAKMP_PROFILE_EZVPN
vrf global
match identity group vpnclient
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
client configuration group vpnclient
virtual-template 1
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto ipsec profile IPSEC_PROFILE_EZVPN
set transform-set myset
set isakmp-profile ISAKMP_PROFILE_EZVPN
!
!
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile ISAKMP_PROFILE_EZVPN
reverse-route
!
!
crypto map clientmap local-address Loopback0
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
interface Loopback0
ip address 192.168.4.22 255.255.255.255
crypto map clientmap
!
interface Loopback1
ip address 192.168.10.252 255.255.255.0
!
interface Loopback3
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address dhcp
duplex full
speed auto
!
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE_EZVPN
!
ip local pool ippool 192.168.1.1 192.168.1.254
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
logging esm config
access-list 100 permit ip any 192.168.10.0 0.0.0.255
access-list 100 permit ip any 10.10.10.0 0.0.0.255
!
!
!
!
route-map test permit 10
set ip next-hop 10.10.10.1 10.10.10.2
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
transport input all
!
scheduler allocate 20000 1000
end
03-18-2013 02:41 AM
Great !
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide