03-12-2001 05:36 AM - edited 02-21-2020 11:18 AM
we want to establish ipsec tunnels between vpn clients and central internet router (7xxx). Is it possible to use a loopback interface with private ip address as the tunnel endpoint (where we set the 'crypto map' reference)?
happy to hear from you.
jo
03-16-2001 06:20 AM
why not use a normal interface?
Remember the 1720 is goin to encrypt interesting traffic that matches you access list if the traffic doesnt attempt to move through loopback 0 then your traffic won't be encrypted. Think of the 1720 as a pix you have an untrusted interface and the traffic leaving that interface must be encrypted from prying eyes to your peer.
03-18-2001 12:41 PM
I think this would lead you into a restriction on the choice of transform set (because of nat) to esp only, and you can not overload the nat.
http://www.cisco.com/warp/public/759/ipj_3-4/ipj_3-4_nat.html
explains the problems of using ipsec and nat concurrently.
I think also that the interface logic for ipsec on IOS is a bit confusing
04-26-2001 07:51 AM
I think this could not be done. How do your client find the tunnel end point (lookback with private IP address) from internet? If you have public IP address assgined to the loopback interface, it should be ok.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide