RE: IPSEC site to site VPN with loopback interface issue from Joseph L. Brunner on 2011-11-04 (Ccielab archives 11/2011)

From: Joseph L. Brunner <joe_at_affirmedsystems.com>
Date: Fri, 4 Nov 2011 14:50:29 +0000

Yes like David said - integrate your clients correctly...

As posted I have a VRF way to do this - but again - there has to be production
outages to support a change

From: Sarad [mailto:tosara_at_gmail.com]
Sent: Friday, November 04, 2011 10:49 AM
To: David Bass
Cc: Joseph L. Brunner; Piotr Matusiak; Cisco certification
Subject: Re: IPSEC site to site VPN with loopback interface issue

Hi All,

Manage to get it work By applying a policy map to the inside interface of the
head end router. But it's a awful looking config to put it on the production
:D. mhhhhhhhhhhhhh Wonder whether there is any otherway better than this,
Config change I did ad follows,

!
interface Serial1/3
ip address 192.168.100.1 255.255.255.0
ip policy route-map TEST
serial restart-delay 0
clock rate 64000

route-map TEST permit 10
match ip address 101 <- Interesting traffic access list
set interface Loopback0

Thanks guys for your time

Cheers
Sara

On Sat, Nov 5, 2011 at 1:38 AM, Sarad
<tosara_at_gmail.com<mailto:tosara_at_gmail.com>> wrote:
Hi David,

Sorry I was trying too many changes and posted the incorect config, Following
are the configs of two routers

---------------------Head end---------------------------------

crypto keyring L2L_A
pre-shared-key address 10.2.2.2 key test123

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp profile L2L_A
keyring L2L_A
match identity address 10.2.2.2 255.255.255.255
!
!
crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
!
crypto map crypmap 1 ipsec-isakmp
set peer 10.2.2.2

set transform-set Tra_L2L_A
set isakmp-profile L2L_A
match address 101
!
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.252
crypto map crypmap
!
interface FastEthernet0/0
ip address 155.1.37.3 255.255.255.0
shutdown
speed 100
full-duplex
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
encapsulation frame-relay
shutdown
serial restart-delay 0
!
interface Serial1/0.1 point-to-point
ip address 155.1.0.3 255.255.255.0
frame-relay interface-dlci 305
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
ip address 10.2.2.1 255.255.255.0
serial restart-delay 0
clock rate 64000
!
interface Serial1/3
ip address 192.168.100.1 255.255.255.0
serial restart-delay 0
clock rate 64000
!
router eigrp 100
network 155.1.0.0
no auto-summary

!
ip route 0.0.0.0 0.0.0.0 10.2.2.2
ip route 172.16.1.0 255.255.255.0 10.1.1.2
!
!
no ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
access-list 101 deny ip any any

------------------------- remote ------------------------------
crypto keyring L2L_A
pre-shared-key address 10.1.1.1 key test123

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp profile L2L_A
keyring L2L_A
match identity address 10.1.1.1 255.255.255.255
!
!
crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
!
crypto map crypmap 1 ipsec-isakmp
set peer 10.1.1.1

set transform-set Tra_L2L_A
set isakmp-profile L2L_A
match address 101
reverse-route
!
!
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.0
!
i
interface Serial0/1
ip address 10.2.2.2 255.255.255.0
clock rate 2000000
crypto map crypmap
!
!
ip route 0.0.0.0 0.0.0.0 10.2.2.1
!
!
!
access-list 101 permit ip any 192.168.100.0 0.0.0.255

I can see encrypted traffic flows from remote end to the head end but no
return traffic from the headend. I still couldnt get this traffic routed via
the loopback.

Yes as you pointed out this will be a awful solution that's the main reason I
posted this here in this forum coz I can get the openion from more experience
people. I could not find any Cisco documentation for this kind of a
configuration. My real configuration will be VRF aware VPN where traffic
comming from internet terminating to multiple user vrfs. I got it working with
a single puplic IP, But checking whether I can do it with multiple public IPs,
Thanks for your thoughts.

cheers

Sara

On Fri, Nov 4, 2011 at 10:48 PM, David Bass
<davidbass570_at_gmail.com<mailto:davidbass570_at_gmail.com>> wrote:
Your crypto config is still not quite right - you have the map on the physical
and loopback interface.

Have you thought about natting this as an alternative solution? It looks like
you know the peer address (all statically configured tunnels), so should be
easy enough to do a policy nat. This assumes a couple things of course...

Either way you end up with a somewhat kludgy solution. Why not just do this
right and migrate your customers to the new solution properly?

On Nov 3, 2011, at 10:48 PM, Sarad <tosara_at_gmail.com<mailto:tosara_at_gmail.com>>
wrote:

> Hi Joseph,
>
> Thanks for the reply I tried with a static route to the loopback subnet but
> still couldnt get through the traffic.
> Following is the config
>
> !
> !
> crypto keyring L2L_A
> pre-shared-key address 20.1.1.2 key test123
> crypto keyring L2L_B
> pre-shared-key address 20.2.2.2 key test123
> !
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
> crypto isakmp profile L2L_A
> vrf CUST_A
> keyring L2L_A
> match identity address 20.1.1.2 255.255.255.255
> local-address Loopback0
> crypto isakmp profile L2L_B
> vrf CUST_B
> keyring L2L_B
> match identity address 20.2.2.2 255.255.255.255
> local-address Loopback1
> !
> !
> crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
> !
> crypto map crypmap local-address Loopback0
> crypto map crypmap 1 ipsec-isakmp
> set peer 20.1.1.2
> set transform-set Tra_L2L_A
> set isakmp-profile L2L_A
> match address 101
> reverse-route
> crypto map crypmap 10 ipsec-isakmp
> set peer 20.2.2.2
> set transform-set Tra_L2L_A
> set isakmp-profile L2L_B
> match address 102
> reverse-route
> !
> !
> !
> !
> !
> interface Loopback0
> ip address 10.1.1.1 255.255.255.252
> crypto map crypmap
> !
> !
> interface GigabitEthernet0/0/0.100
> description #### Global Internet ####
> encapsulation dot1Q 100
> ip address 10.2.2.1 255.255.255.0
> crypto map crypmap
> !
> !
> interface GigabitEthernet0/0/1.300
> encapsulation dot1Q 300
> ip address 192.168.100.1 255.255.255.0
> !
> o
> !
> !
> router eigrp 100
> network 10.0.0.0
> !
> !
> no ip http server
> no ip http secure-server
> ip route 0.0.0.0 0.0.0.0 10.2.2.2
> ip route 172.16.1.0 255.255.255.0 10.1.1.2 name TEST_CUST_A
> access-list 101 permit ip 192.168.100.0 0.0.0.255 any
> access-list 101 deny ip any any
>
>
> Thanks for the help,
> Cheers
> Sara
>
> On Fri, Nov 4, 2011 at 12:39 PM, Joseph L. Brunner
> <joe_at_affirmedsystems.com<mailto:joe_at_affirmedsystems.com>>wrote:
>
>> Hi Sarad,
>>
>> As I stated, you need multiple loopbacks that have public IP's (even /30's
>> out of say a /24 routed to the real INTERNET FACING INTERFACE) and bind
>> UNIQUE CRYPTO MAP's to each of those interfaces.
>>
>> Then, as you stated you can't change customer config - so GRE <-> GRE with
>> EIGRP for routing is out of this design (and match gre source loopback to
>> destination peer in ipsec acl)... so now you have to allow in your design
>> for STATIC routes for the interesting traffic for each vpn to go to the
>> loopback and "get on the vpn)
>>
>> Please use this...
>>
>> Int loop200
>> Crypto map map-loop200
>> Ip addr 200.200.200.199 255.255.255.248
>>
>> Ip route 10.10.10.0 255.255.255.0 200.200.200.200 name
>> vpndestination1-subnet
>>
>> Cry map map-loop200 1 ipsec-isakmp
>> Set peer 18.19.20.21
>> Match address vpndestination1
>> Set transform ESP-3DES-MD5-SHA
>>
>> ip access-list extended vpndestination1
>> permit 10.20.20.0 0.0.0.0 10.10.10.0 0.0.0.255
>>
>> I have may have forgotten the correct next hop for the static route (it's
>> been since 2005 I had to do it this way) last I recall it works when use
an
>> ip in the subnet of the loopback, but not necessarily THE LOOPBACK IP.
>>
>> It also worked, IHMM, when just got the traffic across the loopback where
>> the crypto map is set - like
>>
>> Int loop200
>> ip vrf forwarding special-routes
>> ip route 200.200.200.200 255.255.255.248
>>
>> ip route vrf special-routes 0.0.0.0 0.0.0.0 int g0/1 200.201.201.201
>>
>> I'm sure you can see my vrf way of making a router route "outside to the
>> loopback to itself first" LOL
>>
>> If not - email me and we'll do this together on gotoassist
>>
>> -Joe
>>
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
[mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of
>> Sarad
>> Sent: Thursday, November 03, 2011 9:05 PM
>> To: Piotr Matusiak
>> Cc: Cisco certification
>> Subject: Re: IPSEC site to site VPN with loopback interface issue
>>
>> Hi Piotr,
>>
>> Thank you for your reply it works, But still it's not 100% solved my
issue.
>> As I need to have multiple Loopback at the head end termination IPSEC
>> tunnels to different sites. with this command we can have only one
>> interface terminating the VPN. Is there a way I can achieve that I went
>> through many documentation but still couldnt find a solution.
>>
>> Thank you for the useful reply.
>>
>> Cheers
>>
>> Saranga
>>
>> On Thu, Nov 3, 2011 at 8:03 PM, Piotr Matusiak
<pitt2k_at_gmail.com<mailto:pitt2k_at_gmail.com>> wrote:
>>
>>> Hi Sarad,
>>>
>>> Unconfigure crypto map on loopback0 interface and add command 'crypto
>>> map crypmap local-address lo0' to your config on both routers.
>>> Regards,
>>> --
>>> Piotr Matusiak
>>> CCIE #19860 (R&S, Security), CCSI #33705
>>> Technical Instructor
>>> website: www.MicronicsTraining.com<http://www.MicronicsTraining.com>
<http://www.micronicstraining.com/> <
>> http://www.micronicstraining.com/>
>>> blog: www.ccie1.com<http://www.ccie1.com>
>>>
>>> If you can't explain it simply, you don't understand it well enough -
>>> Albert Einstein
>>>
>>>
>>> 2011/11/3 Sarad <tosara_at_gmail.com<mailto:tosara_at_gmail.com>>
>>>
>>>> Hi Guys,
>>>>
>>>> I am trying to set up a IPSEC site to site VPN with multiple end point
>> at
>>>> the head end. To do that I should be able to terminate these VPN on a
>>>> loopback address, I tried configring it the loopback but eventhough
>> tunnel
>>>> set up correctly no traffic go throgh the tunnel. But when I change it
>>>> back
>>>> to a phisical interface it works without any issue with the same
>>>> configuration.
>>>>
>>>>
>>>> *Head end config*
>>>> **
>>>>
>>>>
>>>> hostname TEST_VPN_ASR
>>>> !
>>>> aaa new-model
>>>> !
>>>> !
>>>> aaa authentication login userauthen local
>>>> aaa authorization network groupauthor local
>>>> !
>>>> !
>>>> !
>>>> !
>>>> !
>>>> aaa session-id common
>>>> !
>>>> !
>>>> !
>>>> !
>>>> crypto keyring L2L_A
>>>> pre-shared-key address 20.1.1.2 key test123
>>>> !
>>>> crypto isakmp policy 1
>>>> encr 3des
>>>> authentication pre-share
>>>> group 2
>>>>
>>>> crypto isakmp profile L2L_A
>>>> keyring L2L_A
>>>> match identity address 20.1.1.2 255.255.255.255
>>>> local-address Loopback0
>>>> !
>>>> !
>>>> crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
>>>> !
>>>> crypto map crypmap 1 ipsec-isakmp
>>>> set peer 20.1.1.2
>>>> set transform-set Tra_L2L_A
>>>> set isakmp-profile L2L_A
>>>> match address 101
>>>> reverse-route
>>>> !
>>>> !
>>>> !
>>>> !
>>>> !
>>>> interface Loopback0
>>>> ip address 10.1.1.1 255.255.255.248
>>>> crypto map crypmap
>>>> !
>>>> interface Loopback1
>>>> ip address 10.1.1.9 255.255.255.248
>>>> !
>>>> interface Loopback2
>>>> ip address 10.1.1.17 255.255.255.248
>>>> !
>>>> interface Loopback100
>>>> ip address 200.200.200.200 255.255.255.0
>>>> !
>>>> !
>>>> interface GigabitEthernet0/0/0.100
>>>> description #### Global Internet ####
>>>> encapsulation dot1Q 100
>>>> ip address 10.2.2.1 255.255.255.0
>>>> crypto map crypmap
>>>> !
>>>> !
>>>> router eigrp 100
>>>> network 10.0.0.0
>>>> !
>>>> ip route 0.0.0.0 0.0.0.0 10.2.2.2
>>>> !
>>>> logging esm config
>>>> access-list 101 permit ip 200.200.200.0 0.0.0.255 210.210.210.0
>> 0.0.0.255
>>>> access-list 101 permit ip 192.168.0.0 0.0.255.255 any
>>>> !
>>>> !
>>>> !
>>>> Cheers
>>>> Sara
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Nov 04 2011 - 14:50:29 ART

This archive was generated by hypermail 2.2.0 : Thu Dec 01 2011 - 06:29:31 ART