Can we have multiple crypto map on cisco routers using loopback addresses? We need this implementation because we have redundant paths andwant to split subnets by using separate cryto map for each subnets and PSEC to be always up even if one of the link fails.
I can see that you already have an answer for what you asked, but just to add my two cents here:
A crypto map is not supported on a Loopback, if you would like to use it as your VPN endpoint, then check this option:
I just have issue with this kind of problem. Just to be sure: You are saying that Loopback interface can not support crypto map on it? There must be "crypto map" command on a physical interface? Am I right? Is this correct?
can you please tell me what was changed?
In my case I need to have many IPSec VPNs and I though Loopback can be used as the source peer IP. But now I'm seeing that traffic can't be routed through the Loopback IP and that's the reason the tunnel is not coming up. Is there a way to do this?
I think specifically i had some restrictions when i tried to perform that with an ASR and ended having the crypto on the egress interfaces .
what i did was using two routers where the tunnels were in a vrf rib .
i needed to add a vrf static route for the destination networks through the global ip next hop .
thats what suited my needs .
I did not get this. Could you explain it to me further. Or send some conf file, or copy your configuration here... That is the easiest way that I can think...
hope this would assist .
description ### LOOPBACK IPSEC ###
ip address 22.214.171.124 255.255.255.255
crypto keyring KEYS-HOSTING-SJ
pre-shared-key address 126.96.36.199 key Re*kup#ha4Ha
crypto isakmp profile ISAKMP-HOSTING-SJ
match identity address 188.8.131.52 255.255.255.255
crypto ipsec transform-set TRANS_SET-HOSTING-SJ esp-aes esp-sha-hmac
crypto isakmp policy 9
crypto map VPN_GENERIC-S2S 20 ipsec-isakmp
description ### VPN S2S HOSTING-SJ ASA ###
set peer 184.108.40.206
set transform-set TRANS_SET-HOSTING-SJ
set pfs group2
set isakmp-profile ISAKMP-HOSTING-SJ
match address IPSEC-VPN-ACL_HOSTING-SJ
ip access-list extended IPSEC-VPN-ACL_HOSTING-SJ
permit ip 10.23.0.0 0.0.255.255 10.10.2.0 0.0.0.255
ip route vrf VPN 10.10.2.0 255.255.255.0 220.127.116.11 track 102 name SLA102-VPN_TU_US-SJWC-PROXY-SUBNET-NH-GLOBAL-ISP-1
ip sla 102
icmp-echo 18.104.22.168 source-ip 22.214.171.124
ip sla schedule 102 life forever start-time now
ip sla reaction-configuration 102 react timeout threshold-type xOfy 2 5 action-type trapOnly
description ##### ISP : CROSS CONNECT 1 TO ISP-1 ###
ip address 126.96.36.199 255.255.255.252
ip flow ingress
crypto map VPN_GENERIC-S2S
once the tracking fails , the other router has the route in its routing table and it takes its place .
It does not work for me, but I manage to find out why (based on your reply)... Crypto map has to be on physical interface... I tryed to put crypto map under loopback interface, but that does not work... I suspected that could be a problem, and your case convinced me...