Following is the show output at the head end I cant see any decrypt or
encrypt traffic
CUST_A#sh crypto ipsec sa
PFS (Y/N): N, DH group: none
PFS (Y/N): N, DH group: none
interface: GigabitEthernet0/0
Crypto map tag: crypmap, local addr 20.1.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
current_peer 10.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 20.1.1.2, remote crypto endpt.: 10.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x2AAA7629(715814441)
inbound esp sas:
CUST_A#
CUST_A#
CUST_A#exit
[Connection to 20.1.1.2 closed by foreign host]
TEST_VPN_ASR#
TEST_VPN_ASR#
TEST_VPN_ASR#
TEST_VPN_ASR#sh cry
TEST_VPN_ASR#sh crypto is
TEST_VPN_ASR#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.1.1.1 20.1.1.2 QM_IDLE 22003 ACTIVE
IPv6 Crypto ISAKMP SA
TEST_VPN_ASR#sh crypto ips
TEST_VPN_ASR#sh crypto ipsec sa
interface: Loopback0
Crypto map tag: crypmap, local addr 10.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 20.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.: 20.1.1.2
path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
current outbound spi: 0x3B58FB19(995687193)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x2AAA7629(715814441)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2007, flow_id: :7, sibling_flags FFFFFFFF80000040, crypto
map: crypmap
sa timing: remaining key lifetime (k/sec): (4555608/3323)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3B58FB19(995687193)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2008, flow_id: :8, sibling_flags FFFFFFFF80000040, crypto
map: crypmap
sa timing: remaining key lifetime (k/sec): (4555608/3323)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (200.200.200.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (210.210.210.0/255.255.255.0/0/0)
current_peer 20.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.: 20.1.1.2
path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
On Thu, Nov 3, 2011 at 7:23 PM, Sarad <tosara_at_gmail.com> wrote:
> Hi Joseph,
>
> Thanks for the reply my main objective is to aggregate customers currenty
> aggrigating in to multiple devices in to a one device and I dont want
> remote site users to change any settings from their end. there for tunnel
> interface is also not a good option. Thats the reason behind multiple end
> points. Static route to the loopback address seems to be not a scalable
> solution. I am wondering whether there is a scalable solution for this
> requirement.
>
> Thanks again,
>
> Cheers
> Sara
>
> On Thu, Nov 3, 2011 at 6:49 PM, Joseph L. Brunner <
> joe_at_affirmedsystems.com> wrote:
>
>> Hey Sarad,
>>
>> When people setup loopbacks for the purpose of terminating ipsec vpn's
>> they use a public IP on the loopback and PUT THE CRY MAP on the loopback!
>>
>> Ex:
>>
>> interface Loopback100
>> ip address 200.200.200.200 255.255.255.0
>> crypto map themapgoeshere
>>
>> then use static routes to loopback on local router for DESTINATION
>> subnets (sloppy though)
>>
>> However, another ipsec design has GRE <-> GRE from loopback to loopback
>> like this
>>
>> int tunnel0
>> tunnel source interface loop100
>> tunnel destination <someone's loopback IP, PUBLIC>
>> ip address 172.24.2.1 255.255.255.252
>>
>> and on the INTERNET OUTGOING INTERFACE the CRY MAP, where each sequence
>> matches gre to gre from local loopback to far side loopback (again, all
>> public ip's)
>> then run eigrp for routing of private subnets to get traffic to pass
>>
>> But, let's not forget the tried and true way to do this
>>
>> IPSEC VTI - which IMHO is the best way
>>
>>
>> http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html
>>
>> I think you would be served well by the IPSEC IOS DESIGN GUIDE - kind of
>> like our first major push into the theory and implementation of these
>> options...
>>
>> http://www.ciscopress.com/bookstore/product.asp?isbn=1587051117
>>
>> enjoy and have fun!
>>
>> -Joe
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Sarad
>> Sent: Thursday, November 03, 2011 3:01 AM
>> To: Cisco certification
>> Subject: IPSEC site to site VPN with loopback interface issue
>>
>> Hi Guys,
>>
>> I am trying to set up a IPSEC site to site VPN with multiple end point at
>> the head end. To do that I should be able to terminate these VPN on a
>> loopback address, I tried configring it the loopback but eventhough tunnel
>> set up correctly no traffic go throgh the tunnel. But when I change it
>> back
>> to a phisical interface it works without any issue with the same
>> configuration.
>>
>>
>> *Head end config*
>> **
>>
>> hostname TEST_VPN_ASR
>> !
>> aaa new-model
>> !
>> !
>> aaa authentication login userauthen local
>> aaa authorization network groupauthor local
>> !
>> !
>> !
>> !
>> !
>> aaa session-id common
>> !
>> !
>> !
>> !
>> crypto keyring L2L_A
>> pre-shared-key address 20.1.1.2 key test123
>> !
>> crypto isakmp policy 1
>> encr 3des
>> authentication pre-share
>> group 2
>>
>> crypto isakmp profile L2L_A
>> keyring L2L_A
>> match identity address 20.1.1.2 255.255.255.255
>> local-address Loopback0
>> !
>> !
>> crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
>> !
>> crypto map crypmap 1 ipsec-isakmp
>> set peer 20.1.1.2
>> set transform-set Tra_L2L_A
>> set isakmp-profile L2L_A
>> match address 101
>> reverse-route
>> !
>> !
>> !
>> !
>> !
>> interface Loopback0
>> ip address 10.1.1.1 255.255.255.248
>> crypto map crypmap
>> !
>> interface Loopback1
>> ip address 10.1.1.9 255.255.255.248
>> !
>> interface Loopback2
>> ip address 10.1.1.17 255.255.255.248
>> !
>> interface Loopback100
>> ip address 200.200.200.200 255.255.255.0
>> !
>> !
>> interface GigabitEthernet0/0/0.100
>> description #### Global Internet ####
>> encapsulation dot1Q 100
>> ip address 10.2.2.1 255.255.255.0
>> crypto map crypmap
>> !
>> !
>> router eigrp 100
>> network 10.0.0.0
>> !
>> ip route 0.0.0.0 0.0.0.0 10.2.2.2
>> !
>> logging esm config
>> access-list 101 permit ip 200.200.200.0 0.0.0.255 210.210.210.0 0.0.0.255
>> access-list 101 permit ip 192.168.0.0 0.0.255.255 any
>> !
>> !
>> !
>> Cheers
>> Sara
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Nov 03 2011 - 19:40:41 ART
This archive was generated by hypermail 2.2.0 : Thu Dec 01 2011 - 06:29:31 ART