cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1537
Views
5
Helpful
4
Replies

IPSec VPN problem

TriAngel
Spotlight
Spotlight

123.png

Both R6 and R3 use Loopback0 interface to establish IPSec VPN.
R7 is the intranet of R6, R4 is the intranet of R3, and the two devices need to communicate through VPN.
The specific configuration is as follows:

 

R6
interface Ethernet0/2
ip address 26.26.26.6 255.255.255.0
!
interface Loopback0
ip address 6.6.6.6 255.255.255.0
crypto map TEST
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
lifetime 3600
crypto isakmp key CCIE-74 address 3.3.3.3
crypto ipsec transform-set CISCO esp-3des esp-md5-hmac
mode tunnel
crypto map TEST 10 ipsec-isakmp
set peer 3.3.3.3
set transform-set CISCO
match address 101
!
access-list 101 permit ip 192.168.67.0 0.0.0.255 192.168.34.0 0.0.0.255
!
ip route 0.0.0.0 0.0.0.0 26.26.26.2
ip route 192.168.34.0 255.255.255.0 Loopback0

 

R2
interface Ethernet0/0
ip address 23.23.23.2 255.255.255.0
!
interface Ethernet0/2
ip address 26.26.26.2 255.255.255.0
!
ip route 3.3.3.0 255.255.255.0 23.23.23.3
ip route 6.6.6.0 255.255.255.0 26.26.26.6

 

R3
interface Ethernet0/0
ip address 23.23.23.3 255.255.255.0
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
crypto map TEST
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
lifetime 3600
crypto isakmp key CCIE-74 address 6.6.6.6
crypto ipsec transform-set CISCO esp-3des esp-md5-hmac
mode tunnel
crypto map TEST 10 ipsec-isakmp
set peer 6.6.6.6
set transform-set CISCO
match address 101
!
access-list 101 permit ip 192.168.34.0 0.0.0.255 192.168.67.0 0.0.0.255
!
ip route 0.0.0.0 0.0.0.0 23.23.23.2
ip route 192.168.67.0 255.255.255.0 Loopback0

 

Through the above configuration, I found that R6 and R3 can not normally establish IPSec VPN, is it IPSec VPN configuration problem?

 


CCIE #62933
1 Accepted Solution

Accepted Solutions

Hi,

If you wish to establish a VPN tunnel using a loopback interface as source peer address use the command "local-address" to define the source interface. The crypto map would be applied to the pyhsical interface and not the loopback, a static route via the loopback is not required either. Example:-

 

crypto map TEST local-address Loopback0

interface Ethernet0/2
 crypto map TEST

interface Loopback0
 no crypto map TEST

no ip route 192.168.34.0 255.255.255.0 Loopback0

Repeat the commands on the other router.

 

HTH

 

View solution in original post

4 Replies 4

Hi,

If you wish to establish a VPN tunnel using a loopback interface as source peer address use the command "local-address" to define the source interface. The crypto map would be applied to the pyhsical interface and not the loopback, a static route via the loopback is not required either. Example:-

 

crypto map TEST local-address Loopback0

interface Ethernet0/2
 crypto map TEST

interface Loopback0
 no crypto map TEST

no ip route 192.168.34.0 255.255.255.0 Loopback0

Repeat the commands on the other router.

 

HTH

 

Thank you very much for your help, you can succeed through that kind of configuration!
I have another question:
If I only want to call the crypto map TEST under the Loopback 0 interface, and both R6 and R3 statically map the UDP 500 and 4500 ports of their respective Loopback 0 to their respective public network interfaces. Do you think this kind of thinking can realize the establishment of VPN?


CCIE #62933

Thank you very much for your help, you can succeed through that kind of configuration!
I have another question:
If I only want to call the crypto map TEST under the Loopback 0 interface, and both R6 and R3 statically map the UDP 500 and 4500 ports of their respective Loopback 0 to their respective public network interfaces. Do you think this kind of thinking can realize the establishment of VPN?

CCIE #62933

You don't define the crypto map under the loopback interface if that's what you meant, it has to be defined under the physical interface.

The configuration I provided will allow you to establish a tunnel sourced from the loopback interface. Any VPN terminated on the router will peer with the loopback interface, as the command is globally configured not per peer.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: