04-22-2020 01:52 AM
Both R6 and R3 use Loopback0 interface to establish IPSec VPN.
R7 is the intranet of R6, R4 is the intranet of R3, and the two devices need to communicate through VPN.
The specific configuration is as follows:
R6
interface Ethernet0/2
ip address 26.26.26.6 255.255.255.0
!
interface Loopback0
ip address 6.6.6.6 255.255.255.0
crypto map TEST
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
lifetime 3600
crypto isakmp key CCIE-74 address 3.3.3.3
crypto ipsec transform-set CISCO esp-3des esp-md5-hmac
mode tunnel
crypto map TEST 10 ipsec-isakmp
set peer 3.3.3.3
set transform-set CISCO
match address 101
!
access-list 101 permit ip 192.168.67.0 0.0.0.255 192.168.34.0 0.0.0.255
!
ip route 0.0.0.0 0.0.0.0 26.26.26.2
ip route 192.168.34.0 255.255.255.0 Loopback0
R2
interface Ethernet0/0
ip address 23.23.23.2 255.255.255.0
!
interface Ethernet0/2
ip address 26.26.26.2 255.255.255.0
!
ip route 3.3.3.0 255.255.255.0 23.23.23.3
ip route 6.6.6.0 255.255.255.0 26.26.26.6
R3
interface Ethernet0/0
ip address 23.23.23.3 255.255.255.0
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
crypto map TEST
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
lifetime 3600
crypto isakmp key CCIE-74 address 6.6.6.6
crypto ipsec transform-set CISCO esp-3des esp-md5-hmac
mode tunnel
crypto map TEST 10 ipsec-isakmp
set peer 6.6.6.6
set transform-set CISCO
match address 101
!
access-list 101 permit ip 192.168.34.0 0.0.0.255 192.168.67.0 0.0.0.255
!
ip route 0.0.0.0 0.0.0.0 23.23.23.2
ip route 192.168.67.0 255.255.255.0 Loopback0
Through the above configuration, I found that R6 and R3 can not normally establish IPSec VPN, is it IPSec VPN configuration problem?
Solved! Go to Solution.
04-22-2020 02:23 AM
Hi,
If you wish to establish a VPN tunnel using a loopback interface as source peer address use the command "local-address" to define the source interface. The crypto map would be applied to the pyhsical interface and not the loopback, a static route via the loopback is not required either. Example:-
crypto map TEST local-address Loopback0
interface Ethernet0/2
crypto map TEST
interface Loopback0
no crypto map TEST
no ip route 192.168.34.0 255.255.255.0 Loopback0
Repeat the commands on the other router.
HTH
04-22-2020 02:23 AM
Hi,
If you wish to establish a VPN tunnel using a loopback interface as source peer address use the command "local-address" to define the source interface. The crypto map would be applied to the pyhsical interface and not the loopback, a static route via the loopback is not required either. Example:-
crypto map TEST local-address Loopback0
interface Ethernet0/2
crypto map TEST
interface Loopback0
no crypto map TEST
no ip route 192.168.34.0 255.255.255.0 Loopback0
Repeat the commands on the other router.
HTH
04-22-2020 08:39 AM
Thank you very much for your help, you can succeed through that kind of configuration!
I have another question:
If I only want to call the crypto map TEST under the Loopback 0 interface, and both R6 and R3 statically map the UDP 500 and 4500 ports of their respective Loopback 0 to their respective public network interfaces. Do you think this kind of thinking can realize the establishment of VPN?
04-22-2020 08:40 AM
04-22-2020 09:09 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: