RE: IPSEC site to site VPN with loopback interface issue from Joseph L. Brunner on 2011-11-03 (Ccielab archives 11/2011)

From: Joseph L. Brunner <joe_at_affirmedsystems.com>
Date: Thu, 3 Nov 2011 07:49:29 +0000

Hey Sarad,

When people setup loopbacks for the purpose of terminating ipsec vpn's they use a public IP on the loopback and PUT THE CRY MAP on the loopback!

Ex:

interface Loopback100
ip address 200.200.200.200 255.255.255.0
crypto map themapgoeshere

then use static routes to loopback on local router for DESTINATION subnets (sloppy though)

However, another ipsec design has GRE <-> GRE from loopback to loopback like this

int tunnel0
tunnel source interface loop100
tunnel destination <someone's loopback IP, PUBLIC>
ip address 172.24.2.1 255.255.255.252

and on the INTERNET OUTGOING INTERFACE the CRY MAP, where each sequence matches gre to gre from local loopback to far side loopback (again, all public ip's)
then run eigrp for routing of private subnets to get traffic to pass

But, let's not forget the tried and true way to do this

IPSEC VTI - which IMHO is the best way

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html

I think you would be served well by the IPSEC IOS DESIGN GUIDE - kind of like our first major push into the theory and implementation of these options...

http://www.ciscopress.com/bookstore/product.asp?isbn=1587051117

enjoy and have fun!

-Joe

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Sarad
Sent: Thursday, November 03, 2011 3:01 AM
To: Cisco certification
Subject: IPSEC site to site VPN with loopback interface issue

Hi Guys,

I am trying to set up a IPSEC site to site VPN with multiple end point at
the head end. To do that I should be able to terminate these VPN on a
loopback address, I tried configring it the loopback but eventhough tunnel
set up correctly no traffic go throgh the tunnel. But when I change it back
to a phisical interface it works without any issue with the same
configuration.

*Head end config*
**

hostname TEST_VPN_ASR
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
!
!
!
crypto keyring L2L_A
pre-shared-key address 20.1.1.2 key test123
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

crypto isakmp profile L2L_A
   keyring L2L_A
   match identity address 20.1.1.2 255.255.255.255
   local-address Loopback0
!
!
crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
!
crypto map crypmap 1 ipsec-isakmp
set peer 20.1.1.2
set transform-set Tra_L2L_A
set isakmp-profile L2L_A
match address 101
reverse-route
!
!
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.248
crypto map crypmap
!
interface Loopback1
ip address 10.1.1.9 255.255.255.248
!
interface Loopback2
ip address 10.1.1.17 255.255.255.248
!
interface Loopback100
ip address 200.200.200.200 255.255.255.0
!
!
interface GigabitEthernet0/0/0.100
description #### Global Internet ####
encapsulation dot1Q 100
ip address 10.2.2.1 255.255.255.0
crypto map crypmap
!
!
router eigrp 100
network 10.0.0.0
!
ip route 0.0.0.0 0.0.0.0 10.2.2.2
!
logging esm config
access-list 101 permit ip 200.200.200.0 0.0.0.255 210.210.210.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
!
!
!
Cheers
Sara

Blogs and organic groups at http://www.ccie.net
Received on Thu Nov 03 2011 - 07:49:29 ART

This archive was generated by hypermail 2.2.0 : Thu Dec 01 2011 - 06:29:31 ART