Terminating an IPSEC tunnel in a loopback interface

jsol · ‎12-30-2004

I need to terminate IPSEC tunnels from VPN clients in a loopback interface (i.e., the crypto map sentence has to be configured at the loopback interface), and I'm having problems. Has anyone tested it? Do I have to configure something special? Just configuring the same at the ethernet interface works ok, but I need it to work in the loopback one.

Thanks.

Richard Burts · ‎12-30-2004

I have not done this. I have done lots of IPSec terminating on the physical interface facing outwards. But I believe that if your crypto map specifies the local interface as loopback 0 and if the remote clients specify the peer address as the loopback address then it should work.

HTH

Rick

HTH

Rick

sachinraja · ‎01-02-2005

There is no command on the crypto dynamic maps, which can force you to specify a local address , eg loopback interface. You can do this on a site to site, but not on remote access vpn. Not sure if there are other ways of doing this..

all the best..

hniazi · ‎01-04-2005

Not sure why the crypto map has to be applied to the loopback (as per initial question). If the intent is to define the loopback address as the crypto end-point, then this is doable (please see below). If the intent is to define crypto map on the loopback as apposed to the physical interface, then that will not work.

The dynamic map will have to be mapped to the crypto map. For using the loopback address as IPSec remote-access endpoint, configure the crypto map local-address statement and apply the crypto map to the physical interface where the IPSec traffic is coming in. So in short:

crypto dynamic-map dyna1 10

set transform-set 3des-sha

reverse-route

!

crypto map vpn1 local-address Loopback0

crypto map vpn1 100 ipsec-isakmp dynamic dyna1

!

interface Serial0/0

description INTERNET_FACING_INTERFACE

ip address

crypto map vpn1

!

G.Korakis_2 · ‎11-27-2009

Thank you very much!!!!!!!!!!!!!!!!!!!!

(Although I was not the one to ask!!)