RE: IPsec - loopback

From: Bola Adegbonmire (bolaccie@yahoo.com)
Date: Mon Mar 08 2004 - 07:12:44 GMT-3

• Next message: Richard Dumoulin: "RE: OSPF neighborship and routes exchange..."
• Previous message: HP-France,ex2: "RE: OSPF neighborship and routes exchange..."
• Maybe in reply to: Franck ccie: "IPsec - loopback"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I believe this is what you want to do;
 
R1 --------- R2
 
 
where there are redundant paths between R1 and R2. in order to use the redundant paths you want to use the loopback address as the address that the router uses to identify itself to other IPSec peers - right?
 
The easiest way I know and I have used it before will be to do it this way. Assuming R1 can reach R2 via its s1 and s2 ints and vice versa.
 
R1
int lo0
  ip add .......
Int s1
  ip add .....
  crypto map R2
int s1
 ip add.....
 crypto map R2
!
crypto map local address Lo0
crypto map 1 ipsec-isakmp
set peer (R2 lo0 ip address)
!
!
!
 
 
then do same on R2. I have done it before and it works. Just make sure the lo0 addresses are advertised via your IGP or EGP. I may have missed command syntaxes so check but this is one way and it works too.
 
Rgds,
 
Bola
 

Richard Dumoulin <richard.dumoulin@vanco.es> wrote:
I see several solutions here.

If you're not using GRE then one possible way would be to use DPD (Dead
Peer Detection)or IKE keepalives and configure your crypto map with two "set
peer" commands. This way when your primary link becomes unavailable the
remote site will be able to negociate IPSec with the secondary link.

Another solution would be to configure 2 gre tunnels over both links, with
EIGRP inside. Then just manipulate the delay to prefer one path over the
other,

--Richard

This is all u need,
http://www.cisco.com/cgi-bin/Support/browse/psp_view.pl?p=Technologies:IPSec
&viewall=true

-----Mensaje original-----
De: Franck ccie [mailto:cciefrank@hotmail.com]
Enviado el: viernes, 05 de marzo de 2004 21:03
Para: ccielab@groupstudy.com
Asunto: IPsec - loopback

Does anyone tried IPSEC on cisco routers using loopback addresses? We
need this implementation because we have redundant paths and we need
IPSEC to
be always up even if one of the link fails.
Thanks

------------------------------------------------------------------------

MSN Messenger : discutez en direct avec vos amis ! Cliquez-ici

• Next message: Richard Dumoulin: "RE: OSPF neighborship and routes exchange..."
• Previous message: HP-France,ex2: "RE: OSPF neighborship and routes exchange..."
• Maybe in reply to: Franck ccie: "IPsec - loopback"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Apr 01 2004 - 08:15:16 GMT-3