RE: IPSEC site to site VPN with loopback interface issue from Joseph L. Brunner on 2011-11-03 (Ccielab archives 11/2011)

From: Joseph L. Brunner <joe_at_affirmedsystems.com>
Date: Fri, 4 Nov 2011 01:39:18 +0000

Hi Sarad,

As I stated, you need multiple loopbacks that have public IP's (even /30's out of say a /24 routed to the real INTERNET FACING INTERFACE) and bind UNIQUE CRYPTO MAP's to each of those interfaces.

Then, as you stated you can't change customer config - so GRE <-> GRE with EIGRP for routing is out of this design (and match gre source loopback to destination peer in ipsec acl)... so now you have to allow in your design for STATIC routes for the interesting traffic for each vpn to go to the loopback and "get on the vpn)

Please use this...

Int loop200
Crypto map map-loop200
Ip addr 200.200.200.199 255.255.255.248

Ip route 10.10.10.0 255.255.255.0 200.200.200.200 name vpndestination1-subnet

Cry map map-loop200 1 ipsec-isakmp
Set peer 18.19.20.21
Match address vpndestination1
Set transform ESP-3DES-MD5-SHA

ip access-list extended vpndestination1
permit 10.20.20.0 0.0.0.0 10.10.10.0 0.0.0.255

I have may have forgotten the correct next hop for the static route (it's been since 2005 I had to do it this way) last I recall it works when use an ip in the subnet of the loopback, but not necessarily THE LOOPBACK IP.

It also worked, IHMM, when just got the traffic across the loopback where the crypto map is set - like

Int loop200
ip vrf forwarding special-routes
ip route 200.200.200.200 255.255.255.248

ip route vrf special-routes 0.0.0.0 0.0.0.0 int g0/1 200.201.201.201

I'm sure you can see my vrf way of making a router route "outside to the loopback to itself first" LOL

If not - email me and we'll do this together on gotoassist

-Joe

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Sarad
Sent: Thursday, November 03, 2011 9:05 PM
To: Piotr Matusiak
Cc: Cisco certification
Subject: Re: IPSEC site to site VPN with loopback interface issue

Hi Piotr,

Thank you for your reply it works, But still it's not 100% solved my issue.
As I need to have multiple Loopback at the head end termination IPSEC
tunnels to different sites. with this command we can have only one
interface terminating the VPN. Is there a way I can achieve that I went
through many documentation but still couldnt find a solution.

Thank you for the useful reply.

Cheers

Saranga

On Thu, Nov 3, 2011 at 8:03 PM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:

> Hi Sarad,
>
> Unconfigure crypto map on loopback0 interface and add command 'crypto
> map crypmap local-address lo0' to your config on both routers.
> Regards,
> --
> Piotr Matusiak
> CCIE #19860 (R&S, Security), CCSI #33705
> Technical Instructor
> website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
> blog: www.ccie1.com
>
> If you can't explain it simply, you don't understand it well enough -
> Albert Einstein
>
>
> 2011/11/3 Sarad <tosara_at_gmail.com>
>
>> Hi Guys,
>>
>> I am trying to set up a IPSEC site to site VPN with multiple end point at
>> the head end. To do that I should be able to terminate these VPN on a
>> loopback address, I tried configring it the loopback but eventhough tunnel
>> set up correctly no traffic go throgh the tunnel. But when I change it
>> back
>> to a phisical interface it works without any issue with the same
>> configuration.
>>
>>
>> *Head end config*
>> **
>>
>>
>> hostname TEST_VPN_ASR
>> !
>> aaa new-model
>> !
>> !
>> aaa authentication login userauthen local
>> aaa authorization network groupauthor local
>> !
>> !
>> !
>> !
>> !
>> aaa session-id common
>> !
>> !
>> !
>> !
>> crypto keyring L2L_A
>> pre-shared-key address 20.1.1.2 key test123
>> !
>> crypto isakmp policy 1
>> encr 3des
>> authentication pre-share
>> group 2
>>
>> crypto isakmp profile L2L_A
>> keyring L2L_A
>> match identity address 20.1.1.2 255.255.255.255
>> local-address Loopback0
>> !
>> !
>> crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
>> !
>> crypto map crypmap 1 ipsec-isakmp
>> set peer 20.1.1.2
>> set transform-set Tra_L2L_A
>> set isakmp-profile L2L_A
>> match address 101
>> reverse-route
>> !
>> !
>> !
>> !
>> !
>> interface Loopback0
>> ip address 10.1.1.1 255.255.255.248
>> crypto map crypmap
>> !
>> interface Loopback1
>> ip address 10.1.1.9 255.255.255.248
>> !
>> interface Loopback2
>> ip address 10.1.1.17 255.255.255.248
>> !
>> interface Loopback100
>> ip address 200.200.200.200 255.255.255.0
>> !
>> !
>> interface GigabitEthernet0/0/0.100
>> description #### Global Internet ####
>> encapsulation dot1Q 100
>> ip address 10.2.2.1 255.255.255.0
>> crypto map crypmap
>> !
>> !
>> router eigrp 100
>> network 10.0.0.0
>> !
>> ip route 0.0.0.0 0.0.0.0 10.2.2.2
>> !
>> logging esm config
>> access-list 101 permit ip 200.200.200.0 0.0.0.255 210.210.210.0 0.0.0.255
>> access-list 101 permit ip 192.168.0.0 0.0.255.255 any
>> !
>> !
>> !
>> Cheers
>> Sara
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Nov 04 2011 - 01:39:18 ART

This archive was generated by hypermail 2.2.0 : Thu Dec 01 2011 - 06:29:31 ART