Re: IPSEC site to site VPN with loopback interface issue

Hi Joseph,

Thanks for the reply my main objective is to aggregate customers currenty
aggrigating in to multiple devices in to a one device and I dont want
remote site users to change any settings from their end. there for tunnel
interface is also not a good option. Thats the reason behind multiple end
points. Static route to the loopback address seems to be not a scalable
solution. I am wondering whether there is a scalable solution for this
requirement.

Thanks again,

Cheers
Sara

On Thu, Nov 3, 2011 at 6:49 PM, Joseph L. Brunner
<joe_at_affirmedsystems.com>wrote:

> Hey Sarad,
>
> When people setup loopbacks for the purpose of terminating ipsec vpn's
> they use a public IP on the loopback and PUT THE CRY MAP on the loopback!
>
> Ex:
>
> interface Loopback100
> ip address 200.200.200.200 255.255.255.0
> crypto map themapgoeshere
>
> then use static routes to loopback on local router for DESTINATION subnets
> (sloppy though)
>
> However, another ipsec design has GRE <-> GRE from loopback to loopback
> like this
>
> int tunnel0
> tunnel source interface loop100
> tunnel destination <someone's loopback IP, PUBLIC>
> ip address 172.24.2.1 255.255.255.252
>
> and on the INTERNET OUTGOING INTERFACE the CRY MAP, where each sequence
> matches gre to gre from local loopback to far side loopback (again, all
> public ip's)
> then run eigrp for routing of private subnets to get traffic to pass
>
> But, let's not forget the tried and true way to do this
>
> IPSEC VTI - which IMHO is the best way
>
>
> http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html
>
> I think you would be served well by the IPSEC IOS DESIGN GUIDE - kind of
> like our first major push into the theory and implementation of these
> options...
>
> http://www.ciscopress.com/bookstore/product.asp?isbn=1587051117
>
> enjoy and have fun!
>
> -Joe
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Sarad
> Sent: Thursday, November 03, 2011 3:01 AM
> To: Cisco certification
> Subject: IPSEC site to site VPN with loopback interface issue
>
> Hi Guys,
>
> I am trying to set up a IPSEC site to site VPN with multiple end point at
> the head end. To do that I should be able to terminate these VPN on a
> loopback address, I tried configring it the loopback but eventhough tunnel
> set up correctly no traffic go throgh the tunnel. But when I change it back
> to a phisical interface it works without any issue with the same
> configuration.
>
>
> *Head end config*
> **
>
> hostname TEST_VPN_ASR
> !
> aaa new-model
> !
> !
> aaa authentication login userauthen local
> aaa authorization network groupauthor local
> !
> !
> !
> !
> !
> aaa session-id common
> !
> !
> !
> !
> crypto keyring L2L_A
> pre-shared-key address 20.1.1.2 key test123
> !
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
>
> crypto isakmp profile L2L_A
> keyring L2L_A
> match identity address 20.1.1.2 255.255.255.255
> local-address Loopback0
> !
> !
> crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
> !
> crypto map crypmap 1 ipsec-isakmp
> set peer 20.1.1.2
> set transform-set Tra_L2L_A
> set isakmp-profile L2L_A
> match address 101
> reverse-route
> !
> !
> !
> !
> !
> interface Loopback0
> ip address 10.1.1.1 255.255.255.248
> crypto map crypmap
> !
> interface Loopback1
> ip address 10.1.1.9 255.255.255.248
> !
> interface Loopback2
> ip address 10.1.1.17 255.255.255.248
> !
> interface Loopback100
> ip address 200.200.200.200 255.255.255.0
> !
> !
> interface GigabitEthernet0/0/0.100
> description #### Global Internet ####
> encapsulation dot1Q 100
> ip address 10.2.2.1 255.255.255.0
> crypto map crypmap
> !
> !
> router eigrp 100
> network 10.0.0.0
> !
> ip route 0.0.0.0 0.0.0.0 10.2.2.2
> !
> logging esm config
> access-list 101 permit ip 200.200.200.0 0.0.0.255 210.210.210.0 0.0.0.255
> access-list 101 permit ip 192.168.0.0 0.0.255.255 any
> !
> !
> !
> Cheers
> Sara
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Nov 03 2011 - 19:23:57 ART