Re: IPSEC site to site VPN with loopback interface issue from David Bass on 2011-11-04 (Ccielab archives 11/2011)

From: David Bass <davidbass570_at_gmail.com>
Date: Fri, 4 Nov 2011 06:48:43 -0500

Your crypto config is still not quite right - you have the map on the physical and loopback interface.

Have you thought about natting this as an alternative solution? It looks like you know the peer address (all statically configured tunnels), so should be easy enough to do a policy nat. This assumes a couple things of course...

Either way you end up with a somewhat kludgy solution. Why not just do this right and migrate your customers to the new solution properly?

On Nov 3, 2011, at 10:48 PM, Sarad <tosara_at_gmail.com> wrote:

> Hi Joseph,
>
> Thanks for the reply I tried with a static route to the loopback subnet but
> still couldnt get through the traffic.
> Following is the config
>
> !
> !
> crypto keyring L2L_A
> pre-shared-key address 20.1.1.2 key test123
> crypto keyring L2L_B
> pre-shared-key address 20.2.2.2 key test123
> !
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
> crypto isakmp profile L2L_A
> vrf CUST_A
> keyring L2L_A
> match identity address 20.1.1.2 255.255.255.255
> local-address Loopback0
> crypto isakmp profile L2L_B
> vrf CUST_B
> keyring L2L_B
> match identity address 20.2.2.2 255.255.255.255
> local-address Loopback1
> !
> !
> crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
> !
> crypto map crypmap local-address Loopback0
> crypto map crypmap 1 ipsec-isakmp
> set peer 20.1.1.2
> set transform-set Tra_L2L_A
> set isakmp-profile L2L_A
> match address 101
> reverse-route
> crypto map crypmap 10 ipsec-isakmp
> set peer 20.2.2.2
> set transform-set Tra_L2L_A
> set isakmp-profile L2L_B
> match address 102
> reverse-route
> !
> !
> !
> !
> !
> interface Loopback0
> ip address 10.1.1.1 255.255.255.252
> crypto map crypmap
> !
> !
> interface GigabitEthernet0/0/0.100
> description #### Global Internet ####
> encapsulation dot1Q 100
> ip address 10.2.2.1 255.255.255.0
> crypto map crypmap
> !
> !
> interface GigabitEthernet0/0/1.300
> encapsulation dot1Q 300
> ip address 192.168.100.1 255.255.255.0
> !
> o
> !
> !
> router eigrp 100
> network 10.0.0.0
> !
> !
> no ip http server
> no ip http secure-server
> ip route 0.0.0.0 0.0.0.0 10.2.2.2
> ip route 172.16.1.0 255.255.255.0 10.1.1.2 name TEST_CUST_A
> access-list 101 permit ip 192.168.100.0 0.0.0.255 any
> access-list 101 deny ip any any
>
>
> Thanks for the help,
> Cheers
> Sara
>
> On Fri, Nov 4, 2011 at 12:39 PM, Joseph L. Brunner
> <joe_at_affirmedsystems.com>wrote:
>
>> Hi Sarad,
>>
>> As I stated, you need multiple loopbacks that have public IP's (even /30's
>> out of say a /24 routed to the real INTERNET FACING INTERFACE) and bind
>> UNIQUE CRYPTO MAP's to each of those interfaces.
>>
>> Then, as you stated you can't change customer config - so GRE <-> GRE with
>> EIGRP for routing is out of this design (and match gre source loopback to
>> destination peer in ipsec acl)... so now you have to allow in your design
>> for STATIC routes for the interesting traffic for each vpn to go to the
>> loopback and "get on the vpn)
>>
>> Please use this...
>>
>> Int loop200
>> Crypto map map-loop200
>> Ip addr 200.200.200.199 255.255.255.248
>>
>> Ip route 10.10.10.0 255.255.255.0 200.200.200.200 name
>> vpndestination1-subnet
>>
>> Cry map map-loop200 1 ipsec-isakmp
>> Set peer 18.19.20.21
>> Match address vpndestination1
>> Set transform ESP-3DES-MD5-SHA
>>
>> ip access-list extended vpndestination1
>> permit 10.20.20.0 0.0.0.0 10.10.10.0 0.0.0.255
>>
>> I have may have forgotten the correct next hop for the static route (it's
>> been since 2005 I had to do it this way) last I recall it works when use an
>> ip in the subnet of the loopback, but not necessarily THE LOOPBACK IP.
>>
>> It also worked, IHMM, when just got the traffic across the loopback where
>> the crypto map is set - like
>>
>> Int loop200
>> ip vrf forwarding special-routes
>> ip route 200.200.200.200 255.255.255.248
>>
>> ip route vrf special-routes 0.0.0.0 0.0.0.0 int g0/1 200.201.201.201
>>
>> I'm sure you can see my vrf way of making a router route "outside to the
>> loopback to itself first" LOL
>>
>> If not - email me and we'll do this together on gotoassist
>>
>> -Joe
>>
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Sarad
>> Sent: Thursday, November 03, 2011 9:05 PM
>> To: Piotr Matusiak
>> Cc: Cisco certification
>> Subject: Re: IPSEC site to site VPN with loopback interface issue
>>
>> Hi Piotr,
>>
>> Thank you for your reply it works, But still it's not 100% solved my issue.
>> As I need to have multiple Loopback at the head end termination IPSEC
>> tunnels to different sites. with this command we can have only one
>> interface terminating the VPN. Is there a way I can achieve that I went
>> through many documentation but still couldnt find a solution.
>>
>> Thank you for the useful reply.
>>
>> Cheers
>>
>> Saranga
>>
>> On Thu, Nov 3, 2011 at 8:03 PM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
>>
>>> Hi Sarad,
>>>
>>> Unconfigure crypto map on loopback0 interface and add command 'crypto
>>> map crypmap local-address lo0' to your config on both routers.
>>> Regards,
>>> --
>>> Piotr Matusiak
>>> CCIE #19860 (R&S, Security), CCSI #33705
>>> Technical Instructor
>>> website: www.MicronicsTraining.com <http://www.micronicstraining.com/> <
>> http://www.micronicstraining.com/>
>>> blog: www.ccie1.com
>>>
>>> If you can't explain it simply, you don't understand it well enough -
>>> Albert Einstein
>>>
>>>
>>> 2011/11/3 Sarad <tosara_at_gmail.com>
>>>
>>>> Hi Guys,
>>>>
>>>> I am trying to set up a IPSEC site to site VPN with multiple end point
>> at
>>>> the head end. To do that I should be able to terminate these VPN on a
>>>> loopback address, I tried configring it the loopback but eventhough
>> tunnel
>>>> set up correctly no traffic go throgh the tunnel. But when I change it
>>>> back
>>>> to a phisical interface it works without any issue with the same
>>>> configuration.
>>>>
>>>>
>>>> *Head end config*
>>>> **
>>>>
>>>>
>>>> hostname TEST_VPN_ASR
>>>> !
>>>> aaa new-model
>>>> !
>>>> !
>>>> aaa authentication login userauthen local
>>>> aaa authorization network groupauthor local
>>>> !
>>>> !
>>>> !
>>>> !
>>>> !
>>>> aaa session-id common
>>>> !
>>>> !
>>>> !
>>>> !
>>>> crypto keyring L2L_A
>>>> pre-shared-key address 20.1.1.2 key test123
>>>> !
>>>> crypto isakmp policy 1
>>>> encr 3des
>>>> authentication pre-share
>>>> group 2
>>>>
>>>> crypto isakmp profile L2L_A
>>>> keyring L2L_A
>>>> match identity address 20.1.1.2 255.255.255.255
>>>> local-address Loopback0
>>>> !
>>>> !
>>>> crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
>>>> !
>>>> crypto map crypmap 1 ipsec-isakmp
>>>> set peer 20.1.1.2
>>>> set transform-set Tra_L2L_A
>>>> set isakmp-profile L2L_A
>>>> match address 101
>>>> reverse-route
>>>> !
>>>> !
>>>> !
>>>> !
>>>> !
>>>> interface Loopback0
>>>> ip address 10.1.1.1 255.255.255.248
>>>> crypto map crypmap
>>>> !
>>>> interface Loopback1
>>>> ip address 10.1.1.9 255.255.255.248
>>>> !
>>>> interface Loopback2
>>>> ip address 10.1.1.17 255.255.255.248
>>>> !
>>>> interface Loopback100
>>>> ip address 200.200.200.200 255.255.255.0
>>>> !
>>>> !
>>>> interface GigabitEthernet0/0/0.100
>>>> description #### Global Internet ####
>>>> encapsulation dot1Q 100
>>>> ip address 10.2.2.1 255.255.255.0
>>>> crypto map crypmap
>>>> !
>>>> !
>>>> router eigrp 100
>>>> network 10.0.0.0
>>>> !
>>>> ip route 0.0.0.0 0.0.0.0 10.2.2.2
>>>> !
>>>> logging esm config
>>>> access-list 101 permit ip 200.200.200.0 0.0.0.255 210.210.210.0
>> 0.0.0.255
>>>> access-list 101 permit ip 192.168.0.0 0.0.255.255 any
>>>> !
>>>> !
>>>> !
>>>> Cheers
>>>> Sara
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Nov 04 2011 - 06:48:43 ART

This archive was generated by hypermail 2.2.0 : Thu Dec 01 2011 - 06:29:31 ART