Source VPN crypto map from secondary IP

gpoer · ‎07-13-2005

We need to source traffic destined to a partner over a crypto map vpn from the secondary address on an interface.

Example.

interface fa1/0

ip address 155.55.5.1

ip address 255.55.5.1 secondary

crypto map something

We need to have the source of the traffic be the 255.55.5.1 address.

Any ideas?

johansens · ‎07-14-2005

Do you absolutely have to have the secondary address on the interface itself? Can you move it to a loopback-if? (would have to get the uplink-router/gateway to route the address to you, or use proxy-arp'ing if it's just a link-net type of network)

Can you switch the primary and secondary addresses? That would solve the problem.. :)

If you can move it, then it's possible.

Another solution could be as follows:

If you are able to get the partner to use a IPSec-protected GRE tunnel, maybe it could be solved as in the GRE-tunnel you can specify which IP-address to use as source...

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b00.html

I'm not sure if it would work as I think as I can't remember which address IPSec uses as the source in such a setup, but it should respect the setting you use...

If you try this, please update this thread... :)

sunilc · ‎07-14-2005

You can apply a crypto map on an intf, and use a different ip address as the crypto endpoint by using the "crypto map mymap loacl-address " command. You have to specify an intf, not an actual IP address.

So, you cannot specify the secondary address. However, if you can use a Loopback instead of the secondary address, then you can use the Loopback as the crypto endpoint by "cryto map mymap local-address loopback0"

-Sunil.