Hi Piotr,
Thank you for your reply it works, But still it's not 100% solved my issue.
As I need to have multiple Loopback at the head end termination IPSEC
tunnels to different sites. with this command we can have only one
interface terminating the VPN. Is there a way I can achieve that I went
through many documentation but still couldnt find a solution.
Thank you for the useful reply.
Cheers
Saranga
On Thu, Nov 3, 2011 at 8:03 PM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
> Hi Sarad,
>
> Unconfigure crypto map on loopback0 interface and add command 'crypto
> map crypmap local-address lo0' to your config on both routers.
> Regards,
> --
> Piotr Matusiak
> CCIE #19860 (R&S, Security), CCSI #33705
> Technical Instructor
> website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
> blog: www.ccie1.com
>
> �If you can't explain it simply, you don't understand it well enough� -
> Albert Einstein
>
>
> 2011/11/3 Sarad <tosara_at_gmail.com>
>
>> Hi Guys,
>>
>> I am trying to set up a IPSEC site to site VPN with multiple end point at
>> the head end. To do that I should be able to terminate these VPN on a
>> loopback address, I tried configring it the loopback but eventhough tunnel
>> set up correctly no traffic go throgh the tunnel. But when I change it
>> back
>> to a phisical interface it works without any issue with the same
>> configuration.
>>
>>
>> *Head end config*
>> **
>>
>>
>> hostname TEST_VPN_ASR
>> !
>> aaa new-model
>> !
>> !
>> aaa authentication login userauthen local
>> aaa authorization network groupauthor local
>> !
>> !
>> !
>> !
>> !
>> aaa session-id common
>> !
>> !
>> !
>> !
>> crypto keyring L2L_A
>> pre-shared-key address 20.1.1.2 key test123
>> !
>> crypto isakmp policy 1
>> encr 3des
>> authentication pre-share
>> group 2
>>
>> crypto isakmp profile L2L_A
>> keyring L2L_A
>> match identity address 20.1.1.2 255.255.255.255
>> local-address Loopback0
>> !
>> !
>> crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
>> !
>> crypto map crypmap 1 ipsec-isakmp
>> set peer 20.1.1.2
>> set transform-set Tra_L2L_A
>> set isakmp-profile L2L_A
>> match address 101
>> reverse-route
>> !
>> !
>> !
>> !
>> !
>> interface Loopback0
>> ip address 10.1.1.1 255.255.255.248
>> crypto map crypmap
>> !
>> interface Loopback1
>> ip address 10.1.1.9 255.255.255.248
>> !
>> interface Loopback2
>> ip address 10.1.1.17 255.255.255.248
>> !
>> interface Loopback100
>> ip address 200.200.200.200 255.255.255.0
>> !
>> !
>> interface GigabitEthernet0/0/0.100
>> description #### Global Internet ####
>> encapsulation dot1Q 100
>> ip address 10.2.2.1 255.255.255.0
>> crypto map crypmap
>> !
>> !
>> router eigrp 100
>> network 10.0.0.0
>> !
>> ip route 0.0.0.0 0.0.0.0 10.2.2.2
>> !
>> logging esm config
>> access-list 101 permit ip 200.200.200.0 0.0.0.255 210.210.210.0 0.0.0.255
>> access-list 101 permit ip 192.168.0.0 0.0.255.255 any
>> !
>> !
>> !
>> Cheers
>> Sara
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri Nov 04 2011 - 12:04:35 ART