cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16733
Views
30
Helpful
23
Replies
Highlighted

Re: IPSec (crypto map) on loopback ??

Hi Mitra,

I can see that you already have an answer for what you asked, but just to add my two cents here:

A crypto map is not supported on a Loopback, if you would like to use it as your VPN endpoint, then check this option:

crypto map local-address

HTH.

Portu.

Highlighted
Beginner

I just have issue with this

I just have issue with this kind of problem. Just to be sure: You are saying that Loopback interface can not support crypto map on it? There must be "crypto map" command on a physical interface? Am I right? Is this correct?

Thank you.

Petar

Highlighted
Beginner

Re: IPSec (crypto map) on loopback ??

can you please tell me what was changed?

In my case I need to have many IPSec VPNs and I though Loopback can be used as the source peer IP. But now I'm seeing that traffic can't be routed through the Loopback IP and that's the reason the tunnel is not coming up. Is there a way to do this?

Highlighted
Beginner

I think specifically i had

I think specifically i had some restrictions when i tried to perform that with an ASR and ended having the crypto on the egress interfaces .

what i did was using two routers where the tunnels were in a vrf rib .

i needed to add a vrf static route for the destination networks through the global ip next hop . 

 

thats what suited my needs .

 

 

Highlighted
Beginner

I did not get this. Could you

I did not get this. Could you explain it to me further. Or send some conf file, or copy your configuration here... That is the easiest way that I can think... 

Thank you.

Petar

Highlighted
Beginner

interface Loopback1

hope this would assist .
interface Loopback1
 description ### LOOPBACK IPSEC ###
 ip address 95.95.95.1 255.255.255.255

crypto keyring KEYS-HOSTING-SJ  
  local-address 95.95.95.1
  pre-shared-key address 63.63.63.1 key Re*kup#ha4Ha
  
crypto isakmp profile ISAKMP-HOSTING-SJ
   vrf VPN
   keyring KEYS-HOSTING-SJ
   match identity address 63.63.63.1 255.255.255.255 
   
crypto ipsec transform-set TRANS_SET-HOSTING-SJ esp-aes esp-sha-hmac 
 mode tunnel

 
  
crypto isakmp policy 9
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
!

crypto map VPN_GENERIC-S2S 20 ipsec-isakmp 
 description ### VPN S2S HOSTING-SJ ASA ###
 set peer 63.63.63.1
 set transform-set TRANS_SET-HOSTING-SJ 
 set pfs group2
 set isakmp-profile ISAKMP-HOSTING-SJ
 match address IPSEC-VPN-ACL_HOSTING-SJ
 
 
ip access-list extended IPSEC-VPN-ACL_HOSTING-SJ
 permit ip 10.23.0.0 0.0.255.255 10.10.2.0 0.0.0.255

 
ip route vrf VPN 10.10.2.0 255.255.255.0 208.208.208.202 track 102 name SLA102-VPN_TU_US-SJWC-PROXY-SUBNET-NH-GLOBAL-ISP-1
 
ip sla 102
 icmp-echo 63.63.63.1 source-ip 95.95.95.1
 tag VPN-TRACK-ROUTE102-TO-HOSTING-SJ
 threshold 3000
 frequency 5
ip sla schedule 102 life forever start-time now

ip sla reaction-configuration 102 react timeout threshold-type xOfy 2 5 action-type trapOnly

 
interface GigabitEthernet0/0/0
 description ##### ISP : CROSS CONNECT 1 TO ISP-1 ###
 ip address 208.208.208.201 255.255.255.252
 ip flow ingress
 load-interval 30
 negotiation auto
 crypto map VPN_GENERIC-S2S
 
 once the tracking fails , the other router has the route in its routing table and it takes its place .

 

Highlighted
Beginner

Thank you... That was helpful

Thank you... That was helpful...

Sincerely,

Petar

Highlighted
Beginner

tell and pls if its working

tell and pls rate if its working for ya :)

Highlighted
Beginner

It does not work for me, but

It does not work for me, but I manage to find out why (based on your reply)... Crypto map has to be on physical interface... I tryed to put crypto map under loopback interface, but that does not work... I suspected that could be a problem, and your case convinced me...

Sincerely,

Petar