cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
24200
Views
30
Helpful
23
Replies

IPSec (crypto map) on loopback ??

akpandey79
Level 1
Level 1

Hi,

Can we have multiple crypto map on cisco routers using loopback addresses? We need this implementation  because we have redundant paths andwant to split subnets by using separate cryto map for each subnets and PSEC to be always up even if one of the link fails.

Thanks.

Akhilesh

23 Replies 23

Hi,

I've never done it, but I think that you should be able to do it as long as the loopback has a routable IP and is accesible from the VPN peers.

The restriction is that you cannot have multiple crypto maps applied to a single interface.

Federico.

Hi Federico,

I tried to simulate same on Cisco 3845 router by creating loopback interface and applied one  crypto map to one of physical interface (connected to outside) IPSec works fine.

When i tried to apply crypto map on  loopback interface tunnel is  getting established (checked by -show crypto isakmp sa command) but no traffic is moving via tunnel (show crypto ipsec sa) and i tried to route traffic via loopback interface by configuring default root also.

So can you suggest if some other commands are required.

Thanks.

Akhilesh.

My understanding the loopback is used by the crypto map for the router to identity itself to ipsec peers and used for SA (used as the local address for IPSEC (and IKE) traffic originating from or destined to the interface)  not for routing traffic!! The interfaces the crypto map is applied should take care of that!.

Francisco

I think specifically i had some restrictions when i tried to perform that with an ASR and ended having the crypto on the egress interfaces .

what i did was using two routers where the tunnels were in a vrf rib .

i needed to add a vrf static route for the destination networks through the global ip next hop . 

 

thats what suited my needs .

 

AZaburdyayev
Level 1
Level 1

Sorry for interupting, but Akhilesh can you show working config ? I trying to do same thing, create Access VPN on loopback interface. If I apply crypto map on loopback VPN established but data do not flow, if I apply crypto map on outside interface, VPN is not established.

Yes,

As suggested please post the configuration because if you terminate the VPN on a loopback, in order for traffic to flow through the tunnel, the traffic should flow between the outside and inside interfaces (but going through the loopback as well).

Federico.

Francisco,

Agree 100%

What I'm saying is that if the loopback interface is configured incorrectly, the traffic might not be passing through.

The loopback does not route any traffic (we are clear), but the loopback has its own configuration that might affect the traffic.

Anyway, the intention is to check the configuration for any possible problem.

Federico.

Hey Federico,

yes you are right if the loopback interface is configured incorrectly, then the traffic might not be passing through properly...

Francisco.

hi,

i'm having the same issue but with me, if a move the crypto map to the fa interface which is set to dhcp cos this is a lab, the tunnel establishes and i can ping across to the fa0/1, lo0 interface.

attached is the config to the lo interface, the tunnels establishes but no traffic goes over.

please help

not sure why it zipped the file,

hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 4096
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 15
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
no ipv6 cef
!        
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
username cisco privilege 15 password 0 cisco
!
redundancy
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient
key cisco123
dns 10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippool
acl 100
crypto isakmp profile ISAKMP_PROFILE_EZVPN
   vrf global
   match identity group vpnclient
   client authentication list userauthen
   isakmp authorization list groupauthor
   client configuration address respond
   client configuration group vpnclient
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto ipsec profile IPSEC_PROFILE_EZVPN
set transform-set myset
set isakmp-profile ISAKMP_PROFILE_EZVPN
!
!
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile ISAKMP_PROFILE_EZVPN
reverse-route
!
!
crypto map clientmap local-address Loopback0
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
interface Loopback0
ip address 192.168.4.22 255.255.255.255
crypto map clientmap
!
interface Loopback1
ip address 192.168.10.252 255.255.255.0
!
interface FastEthernet0/0
ip address dhcp
duplex full
speed auto
!
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE_EZVPN
!
ip local pool ippool 192.168.1.1 192.168.1.254
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
logging esm config
access-list 100 permit ip any 192.168.10.0 0.0.0.255
access-list 100 permit ip any 10.10.10.0 0.0.0.255
!
!
!
!
route-map test permit 10
set ip next-hop 10.10.10.1 10.10.10.2
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
transport input all
!
scheduler allocate 20000 1000
end

the router is doing the auth also. And i am using the cisco vpn client to connect to the router.

not to worry, had another look and fixed the problem.

which was ?

can you please post the working config ?

you are lucky i still have this ... lol ...

here you go, oh and the VRF part also works.

Router#sh run

Building configuration...

Current configuration : 2978 bytes

!

! Last configuration change at 09:38:43 UTC Tue May 10 2011 by cisco

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

logging buffered 4096

!

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

!

!

!

!

aaa session-id common

!

memory-size iomem 15

!

dot11 syslog

ip source-route

!

!

ip cef

!

!

!

ip vrf VRF_EZVPN

rd 36968:2

route-target export 36968:2

route-target import 36968:2

!

no ipv6 cef

!        

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

!

!

voice-card 0

!

crypto pki token default removal timeout 0

!

!

!

!

username cisco privilege 15 password 0 cisco

!

redundancy

!

!

!

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpnclient

key cisco123

dns 10.10.10.10

wins 10.10.10.20

domain cisco.com

pool ippool

crypto isakmp profile ISAKMP_PROFILE_EZVPN

   vrf global

   match identity group vpnclient

   client authentication list userauthen

   isakmp authorization list groupauthor

   client configuration address respond

   client configuration group vpnclient

   virtual-template 1

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto ipsec profile IPSEC_PROFILE_EZVPN

set transform-set myset

set isakmp-profile ISAKMP_PROFILE_EZVPN

!

!

crypto dynamic-map dynmap 10

set transform-set myset

set isakmp-profile ISAKMP_PROFILE_EZVPN

reverse-route

!

!

crypto map clientmap local-address Loopback0

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

!

!

interface Loopback0

ip address 192.168.4.22 255.255.255.255

crypto map clientmap

!

interface Loopback1

ip address 192.168.10.252 255.255.255.0

!

interface Loopback3

ip address 1.1.1.1 255.255.255.255

!

interface FastEthernet0/0

ip address dhcp

duplex full

speed auto

!

interface FastEthernet0/1

ip address 10.10.10.1 255.255.255.0

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC_PROFILE_EZVPN

!

ip local pool ippool 192.168.1.1 192.168.1.254

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

!

logging esm config

access-list 100 permit ip any 192.168.10.0 0.0.0.255

access-list 100 permit ip any 10.10.10.0 0.0.0.255

!

!

!

!

route-map test permit 10

set ip next-hop 10.10.10.1 10.10.10.2

!

!

!

!

!

control-plane

!

!

!

!

mgcp profile default

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

transport input all

!

scheduler allocate 20000 1000

end

Great !

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: