cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8492
Views
5
Helpful
14
Replies
Highlighted
Enthusiast

Site to Site IPSec VPN using Loopback as a tunnel endpoint

Dears,

I've spent two days figuring out how can I use the loopback interface as the tunnel endpoint. After lots of experiments, I could finally get it to work. However, I still don't understand how it completely works. I understand parts of the configuration but other parts I could not understand.

Here is the most important config for a loopback to function as VPN tunnel endpoint along with my humble technical explanation according to my understanding so far. I am not going to mention other config such as IKE/IPSec proposals, IPSec transform sets, interesting traffic ACL...,etc as you already familiar with. Please feel free to correct me if I am wrong.

"Apply crypto map on both the loopback interface and the Ethernet sub-interface. Since the loopback is a virtual interface, it cannot negotiate the tunnel. It's the job of the physical interface, which is the ethernet in my case because it's the actual WAN interface. Applying the map on both of them is crucial. Why I said that? Because if I remove the map off one of them, the tunnel won't negotiate"  

 

!

Interface Loopback0

Ip address 42.x.x.x 255.255.255.255

Crypto map Mymap

!

Interface ethernet0.156

encapsulation dot1q 156

Ip address 10.x.x.x 255.255.255.252

ip nat outside

ip virtual-reassembly in

Crypto map Mymap

"Because the public IP is defined in the loopback interface, it must be our VPN endpoint. To accomplish this, the following command is important to instruct the router to treat the loopback address as the VPN endpoint. Without it, the router will think that the endpoint address is the physical interface and the tunnel will never negotiate since the public IP is not defined in the physical interface. Why I said that? Because if you issue debug crypto ipsec, you will notice that the other peer will try to negotiate the tunnel with the 42.x.x.x on ethernet0.156 and it will tells you invalid local address."

Crypto map Mymap local-address Loopback0

"Again, the loopback is not a physical interface. It can't forward or route traffic. So, we need to reach the remote protected subnet in order to virtually forward traffic through the Ethernet interface. In that case, Ethernet uses the loopback as a gateway to reach the subnet in question. Why I said that? I really don't know. I am trying my best to explain it. But if you really remove this command, the ping won't work"

 

Ip route 192.168.0.0 255.255.248.0 Loopback99

"Finally, you will have to exempt the protected traffic from NAT on the loopback"

 

Ip nat inside source route-map nonat interface Loopback0 overload

!

Route-map permit 10

Match ip address 102

!

Access-list 102 deny ip 10.10.1.0 0.0.0.255 192.168.0.0 0.0.7.255

Access-list 102 permit ip 10.10.1.0 0.0.0.255 any

Thanks

14 REPLIES 14
Highlighted
VIP Mentor

Actually, it can be much more

Actually, it can be much more simpler then you have done it:

  • The crypto map is only applied on the outside interface
  • You route your peer-network to the provider next-hop (typically done with the default-route) instead of to the Loopback.
  • The crypto-map is told which IP to use for the source-address of the outer tunnel-header (that's the local-address that you configured)
  • And you also need to exempt the traffic from NAT

That's all you need. What happens here:

  1. The ip packet enters the router and get's forwarded to the outer interface
  2. The crypto map acts on the packet and positively matches the crypto ACL
  3. The packet gets encrypted and the digest is calculated
  4. Now the router builds the outer IP header. The destination is taken from the "set peer", the source is taken from the "local address" (well, that's a little bit simplified, here the SPD and SADB are involved).
  5. The new IPsec packet is routed according to the routing table (default-route) to the provider

Highlighted
Enthusiast

Thanks for the response.

Thanks for the response.

"The crypto map is only applied on the outside interface"

The tunnel wouldn't get established if I've done that. I turned on debug crypto isakmp and IPsec and nothing showed up. When I applied the map on both, debug messages showed up.

"You route your peer-network to the provider next-hop (typically done with the default-route) instead of to the Loopback"

There is already a default route through my provider next-hop in general but that didn't serve the purpose of the remote protected network. Once I specifically configured a static route to the remote protected network via Lookback0, I could ping successfully.

Highlighted
VIP Mentor

Could it be that you are

Could it be that you are running an ancient IOS? I did a short lab on IOS 15.2(4)M5 and it was working exactly like mentioned. And from my memories, that was also the way I implemented it long time ago (but I don't remember what version I used there).

But some time ago, there were changes in IOS when dealing with logical interfaces.

Highlighted
Enthusiast

No sir, it's 15.2 as well.

No sir, it's 15.2 as well. Perhaps, it will work using different methods. :)

Anyways, thanks for your help.

Highlighted
VIP Mentor

Can you show the config for

Can you show the config for that? Perhaps there is something else problematic.

Highlighted
Enthusiast

I showed the config in the

I showed the config in the original post.

Highlighted
VIP Mentor

I assume that was not the

I assume that was not the real config as it was configured on the router ...
Highlighted
Enthusiast

It was the real config but of

It was the real config but of course with fake IP addressing, that's all. I mentioned in the original post that I got the VPN to work using loopback interface then I posted the working config.

Highlighted

Thanks for sharing, it worked

Thanks for sharing, it worked to me. I did not exactly the same, but your post was a hint.

Best.

Highlighted
Beginner

Re: Site to Site IPSec VPN using Loopback as a tunnel endpoint

Hi, Can you please let me know what is configured under Loopback99? you have used this in the static routing.

Highlighted
Beginner

Re: Site to Site IPSec VPN using Loopback as a tunnel endpoint

Hi,

I think I am quite late on replying to this.

However just define a loopback e.g. loopback 20

Assign a public IP to it or whatever IP you want to source the VPN Traffic from.

And use the below command.

crypto map CMAP local-address Loopback20

 

Then create a Crypto MAP after creating the Transform Set and interesting traffic access-list.

              crypto map CMAP 10 ipsec-isakmp
              set peer 10.172.16.1
              set transform-set TS
              match address VPN-TRAFFIC

 

Create preshared key for the destination peer like below

              crypto isakmp key firewallcx address 10.172.16.1

 

Do the same config on the other peer and you are good to do.

Let me know if someone wants me to share the complete config.

Highlighted

Re: Site to Site IPSec VPN using Loopback as a tunnel endpoint

Please share me the complete configuration file.

Highlighted
Beginner

Re: Site to Site IPSec VPN using Loopback as a tunnel endpoint

Hi,

 

Its been an year and I don't have the config on me anymore. However below is what i used as a template and incorporated my own config into it and I am sure you can also do the same. 

 

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html

 

Cheers,

Highlighted

Re: Site to Site IPSec VPN using Loopback as a tunnel endpoint

Thank you so much.