07-13-2005 07:01 PM - edited 02-21-2020 01:52 PM
We need to source traffic destined to a partner over a crypto map vpn from the secondary address on an interface.
Example.
interface fa1/0
ip address 155.55.5.1
ip address 255.55.5.1 secondary
crypto map something
We need to have the source of the traffic be the 255.55.5.1 address.
Any ideas?
07-14-2005 06:25 AM
Do you absolutely have to have the secondary address on the interface itself? Can you move it to a loopback-if? (would have to get the uplink-router/gateway to route the address to you, or use proxy-arp'ing if it's just a link-net type of network)
Can you switch the primary and secondary addresses? That would solve the problem.. :)
If you can move it, then it's possible.
Another solution could be as follows:
If you are able to get the partner to use a IPSec-protected GRE tunnel, maybe it could be solved as in the GRE-tunnel you can specify which IP-address to use as source...
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b00.html
I'm not sure if it would work as I think as I can't remember which address IPSec uses as the source in such a setup, but it should respect the setting you use...
If you try this, please update this thread... :)
07-14-2005 12:00 PM
You can apply a crypto map on an intf, and use a different ip address as the crypto endpoint by using the "crypto map mymap loacl-address
So, you cannot specify the secondary address. However, if you can use a Loopback instead of the secondary address, then you can use the Loopback as the crypto endpoint by "cryto map mymap local-address loopback0"
-Sunil.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide