Re: IPSEC site to site VPN with loopback interface issue from Sarad on 2011-11-04 (Ccielab archives 11/2011)

From: Sarad <tosara_at_gmail.com>
Date: Fri, 4 Nov 2011 14:48:47 +1100

Hi Joseph,

Thanks for the reply I tried with a static route to the loopback subnet but
still couldnt get through the traffic.
Following is the config

!
!
crypto keyring L2L_A
  pre-shared-key address 20.1.1.2 key test123
crypto keyring L2L_B
  pre-shared-key address 20.2.2.2 key test123
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp profile L2L_A
   vrf CUST_A
   keyring L2L_A
   match identity address 20.1.1.2 255.255.255.255
   local-address Loopback0
crypto isakmp profile L2L_B
   vrf CUST_B
   keyring L2L_B
   match identity address 20.2.2.2 255.255.255.255
   local-address Loopback1
!
!
crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
!
crypto map crypmap local-address Loopback0
crypto map crypmap 1 ipsec-isakmp
set peer 20.1.1.2
set transform-set Tra_L2L_A
set isakmp-profile L2L_A
match address 101
reverse-route
crypto map crypmap 10 ipsec-isakmp
set peer 20.2.2.2
set transform-set Tra_L2L_A
set isakmp-profile L2L_B
match address 102
reverse-route
!
!
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.252
crypto map crypmap
!
!
interface GigabitEthernet0/0/0.100
description #### Global Internet ####
encapsulation dot1Q 100
ip address 10.2.2.1 255.255.255.0
crypto map crypmap
!
!
interface GigabitEthernet0/0/1.300
encapsulation dot1Q 300
ip address 192.168.100.1 255.255.255.0
!
o
!
!
router eigrp 100
network 10.0.0.0
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.2.2.2
ip route 172.16.1.0 255.255.255.0 10.1.1.2 name TEST_CUST_A
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
access-list 101 deny ip any any

Thanks for the help,
Cheers
Sara

On Fri, Nov 4, 2011 at 12:39 PM, Joseph L. Brunner
<joe_at_affirmedsystems.com>wrote:

> Hi Sarad,
>
> As I stated, you need multiple loopbacks that have public IP's (even /30's
> out of say a /24 routed to the real INTERNET FACING INTERFACE) and bind
> UNIQUE CRYPTO MAP's to each of those interfaces.
>
> Then, as you stated you can't change customer config - so GRE <-> GRE with
> EIGRP for routing is out of this design (and match gre source loopback to
> destination peer in ipsec acl)... so now you have to allow in your design
> for STATIC routes for the interesting traffic for each vpn to go to the
> loopback and "get on the vpn)
>
> Please use this...
>
> Int loop200
> Crypto map map-loop200
> Ip addr 200.200.200.199 255.255.255.248
>
> Ip route 10.10.10.0 255.255.255.0 200.200.200.200 name
> vpndestination1-subnet
>
> Cry map map-loop200 1 ipsec-isakmp
> Set peer 18.19.20.21
> Match address vpndestination1
> Set transform ESP-3DES-MD5-SHA
>
> ip access-list extended vpndestination1
> permit 10.20.20.0 0.0.0.0 10.10.10.0 0.0.0.255
>
> I have may have forgotten the correct next hop for the static route (it's
> been since 2005 I had to do it this way) last I recall it works when use an
> ip in the subnet of the loopback, but not necessarily THE LOOPBACK IP.
>
> It also worked, IHMM, when just got the traffic across the loopback where
> the crypto map is set - like
>
> Int loop200
> ip vrf forwarding special-routes
> ip route 200.200.200.200 255.255.255.248
>
> ip route vrf special-routes 0.0.0.0 0.0.0.0 int g0/1 200.201.201.201
>
> I'm sure you can see my vrf way of making a router route "outside to the
> loopback to itself first" LOL
>
> If not - email me and we'll do this together on gotoassist
>
> -Joe
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Sarad
> Sent: Thursday, November 03, 2011 9:05 PM
> To: Piotr Matusiak
> Cc: Cisco certification
> Subject: Re: IPSEC site to site VPN with loopback interface issue
>
> Hi Piotr,
>
> Thank you for your reply it works, But still it's not 100% solved my issue.
> As I need to have multiple Loopback at the head end termination IPSEC
> tunnels to different sites. with this command we can have only one
> interface terminating the VPN. Is there a way I can achieve that I went
> through many documentation but still couldnt find a solution.
>
> Thank you for the useful reply.
>
> Cheers
>
> Saranga
>
> On Thu, Nov 3, 2011 at 8:03 PM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
>
> > Hi Sarad,
> >
> > Unconfigure crypto map on loopback0 interface and add command 'crypto
> > map crypmap local-address lo0' to your config on both routers.
> > Regards,
> > --
> > Piotr Matusiak
> > CCIE #19860 (R&S, Security), CCSI #33705
> > Technical Instructor
> > website: www.MicronicsTraining.com <http://www.micronicstraining.com/> <
> http://www.micronicstraining.com/>
> > blog: www.ccie1.com
> >
> > If you can't explain it simply, you don't understand it well enough -
> > Albert Einstein
> >
> >
> > 2011/11/3 Sarad <tosara_at_gmail.com>
> >
> >> Hi Guys,
> >>
> >> I am trying to set up a IPSEC site to site VPN with multiple end point
> at
> >> the head end. To do that I should be able to terminate these VPN on a
> >> loopback address, I tried configring it the loopback but eventhough
> tunnel
> >> set up correctly no traffic go throgh the tunnel. But when I change it
> >> back
> >> to a phisical interface it works without any issue with the same
> >> configuration.
> >>
> >>
> >> *Head end config*
> >> **
> >>
> >>
> >> hostname TEST_VPN_ASR
> >> !
> >> aaa new-model
> >> !
> >> !
> >> aaa authentication login userauthen local
> >> aaa authorization network groupauthor local
> >> !
> >> !
> >> !
> >> !
> >> !
> >> aaa session-id common
> >> !
> >> !
> >> !
> >> !
> >> crypto keyring L2L_A
> >> pre-shared-key address 20.1.1.2 key test123
> >> !
> >> crypto isakmp policy 1
> >> encr 3des
> >> authentication pre-share
> >> group 2
> >>
> >> crypto isakmp profile L2L_A
> >> keyring L2L_A
> >> match identity address 20.1.1.2 255.255.255.255
> >> local-address Loopback0
> >> !
> >> !
> >> crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
> >> !
> >> crypto map crypmap 1 ipsec-isakmp
> >> set peer 20.1.1.2
> >> set transform-set Tra_L2L_A
> >> set isakmp-profile L2L_A
> >> match address 101
> >> reverse-route
> >> !
> >> !
> >> !
> >> !
> >> !
> >> interface Loopback0
> >> ip address 10.1.1.1 255.255.255.248
> >> crypto map crypmap
> >> !
> >> interface Loopback1
> >> ip address 10.1.1.9 255.255.255.248
> >> !
> >> interface Loopback2
> >> ip address 10.1.1.17 255.255.255.248
> >> !
> >> interface Loopback100
> >> ip address 200.200.200.200 255.255.255.0
> >> !
> >> !
> >> interface GigabitEthernet0/0/0.100
> >> description #### Global Internet ####
> >> encapsulation dot1Q 100
> >> ip address 10.2.2.1 255.255.255.0
> >> crypto map crypmap
> >> !
> >> !
> >> router eigrp 100
> >> network 10.0.0.0
> >> !
> >> ip route 0.0.0.0 0.0.0.0 10.2.2.2
> >> !
> >> logging esm config
> >> access-list 101 permit ip 200.200.200.0 0.0.0.255 210.210.210.0
> 0.0.0.255
> >> access-list 101 permit ip 192.168.0.0 0.0.255.255 any
> >> !
> >> !
> >> !
> >> Cheers
> >> Sara
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Nov 04 2011 - 14:48:47 ART

This archive was generated by hypermail 2.2.0 : Thu Dec 01 2011 - 06:29:31 ART