Re: IPSEC site to site VPN with loopback interface issue from Piotr Matusiak on 2011-11-03 (Ccielab archives 11/2011)

From: Piotr Matusiak <pitt2k_at_gmail.com>
Date: Thu, 3 Nov 2011 10:03:02 +0100

Hi Sarad,

Unconfigure crypto map on loopback0 interface and add command 'crypto
map crypmap local-address lo0' to your config on both routers.
Regards,

--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705
Technical Instructor
website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
blog: www.ccie1.com
If you can't explain it simply, you don't understand it well enough -
Albert Einstein
2011/11/3 Sarad <tosara_at_gmail.com>
> Hi Guys,
>
> I am trying to set up a IPSEC site to site VPN with multiple end point at
> the head end. To do that I should be able to terminate these VPN on a
> loopback address, I tried configring it the loopback but eventhough tunnel
> set up correctly no traffic go throgh the tunnel. But when I change it back
> to a phisical interface it works without any issue with the same
> configuration.
>
>
> *Head end config*
> **
>
> hostname TEST_VPN_ASR
> !
> aaa new-model
> !
> !
> aaa authentication login userauthen local
> aaa authorization network groupauthor local
> !
> !
> !
> !
> !
> aaa session-id common
> !
> !
> !
> !
> crypto keyring L2L_A
>  pre-shared-key address 20.1.1.2 key test123
> !
> crypto isakmp policy 1
>  encr 3des
>  authentication pre-share
>  group 2
>
> crypto isakmp profile L2L_A
>   keyring L2L_A
>   match identity address 20.1.1.2 255.255.255.255
>   local-address Loopback0
> !
> !
> crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
> !
> crypto map crypmap 1 ipsec-isakmp
>  set peer 20.1.1.2
>  set transform-set Tra_L2L_A
>  set isakmp-profile L2L_A
>  match address 101
>  reverse-route
> !
> !
> !
> !
> !
> interface Loopback0
>  ip address 10.1.1.1 255.255.255.248
>  crypto map crypmap
> !
> interface Loopback1
>  ip address 10.1.1.9 255.255.255.248
> !
> interface Loopback2
>  ip address 10.1.1.17 255.255.255.248
> !
> interface Loopback100
>  ip address 200.200.200.200 255.255.255.0
> !
> !
> interface GigabitEthernet0/0/0.100
>  description #### Global Internet ####
>  encapsulation dot1Q 100
>  ip address 10.2.2.1 255.255.255.0
>  crypto map crypmap
> !
> !
> router eigrp 100
>  network 10.0.0.0
> !
> ip route 0.0.0.0 0.0.0.0 10.2.2.2
> !
> logging esm config
> access-list 101 permit ip 200.200.200.0 0.0.0.255 210.210.210.0 0.0.0.255
> access-list 101 permit ip 192.168.0.0 0.0.255.255 any
> !
> !
> !
> Cheers
> Sara
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net

Received on Thu Nov 03 2011 - 10:03:02 ART

This archive was generated by hypermail 2.2.0 : Thu Dec 01 2011 - 06:29:31 ART