Hi David,
Sorry I was trying too many changes and posted the incorect config,
Following are the configs of two routers
---------------------Head end---------------------------------
crypto keyring L2L_A
pre-shared-key address 10.2.2.2 key test123
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp profile L2L_A
keyring L2L_A
match identity address 10.2.2.2 255.255.255.255
!
!
crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
!
crypto map crypmap 1 ipsec-isakmp
set peer 10.2.2.2
set transform-set Tra_L2L_A
set isakmp-profile L2L_A
match address 101
!
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.252
crypto map crypmap
!
interface FastEthernet0/0
ip address 155.1.37.3 255.255.255.0
shutdown
speed 100
full-duplex
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
encapsulation frame-relay
shutdown
serial restart-delay 0
!
interface Serial1/0.1 point-to-point
ip address 155.1.0.3 255.255.255.0
frame-relay interface-dlci 305
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
ip address 10.2.2.1 255.255.255.0
serial restart-delay 0
clock rate 64000
!
interface Serial1/3
ip address 192.168.100.1 255.255.255.0
serial restart-delay 0
clock rate 64000
!
router eigrp 100
network 155.1.0.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 10.2.2.2
ip route 172.16.1.0 255.255.255.0 10.1.1.2
!
!
no ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
access-list 101 deny ip any any
------------------------- remote ------------------------------
crypto keyring L2L_A
pre-shared-key address 10.1.1.1 key test123
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp profile L2L_A
keyring L2L_A
match identity address 10.1.1.1 255.255.255.255
!
!
crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
!
crypto map crypmap 1 ipsec-isakmp
set peer 10.1.1.1
set transform-set Tra_L2L_A
set isakmp-profile L2L_A
match address 101
reverse-route
!
!
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.0
!
i
interface Serial0/1
ip address 10.2.2.2 255.255.255.0
clock rate 2000000
crypto map crypmap
!
!
ip route 0.0.0.0 0.0.0.0 10.2.2.1
!
!
!
access-list 101 permit ip any 192.168.100.0 0.0.0.255
|
I can see encrypted traffic flows from remote end to the head end but no
return traffic from the headend. I still couldnt get this traffic routed
via the loopback.
Yes as you pointed out this will be a awful solution that's the main reason
I posted this here in this forum coz I can get the openion from more
experience people. I could not find any Cisco documentation for this kind
of a configuration. My real configuration will be VRF aware VPN where
traffic comming from internet terminating to multiple user vrfs. I got it
working with a single puplic IP, But checking whether I can do it with
multiple public IPs, Thanks for your thoughts.
cheers
Sara
On Fri, Nov 4, 2011 at 10:48 PM, David Bass <davidbass570_at_gmail.com> wrote:
> Your crypto config is still not quite right - you have the map on the
> physical and loopback interface.
>
> Have you thought about natting this as an alternative solution? It looks
> like you know the peer address (all statically configured tunnels), so
> should be easy enough to do a policy nat. This assumes a couple things of
> course...
>
> Either way you end up with a somewhat kludgy solution. Why not just do
> this right and migrate your customers to the new solution properly?
>
>
>
> On Nov 3, 2011, at 10:48 PM, Sarad <tosara_at_gmail.com> wrote:
>
> > Hi Joseph,
> >
> > Thanks for the reply I tried with a static route to the loopback subnet
> but
> > still couldnt get through the traffic.
> > Following is the config
> >
> > !
> > !
> > crypto keyring L2L_A
> > pre-shared-key address 20.1.1.2 key test123
> > crypto keyring L2L_B
> > pre-shared-key address 20.2.2.2 key test123
> > !
> > crypto isakmp policy 1
> > encr 3des
> > authentication pre-share
> > group 2
> > crypto isakmp profile L2L_A
> > vrf CUST_A
> > keyring L2L_A
> > match identity address 20.1.1.2 255.255.255.255
> > local-address Loopback0
> > crypto isakmp profile L2L_B
> > vrf CUST_B
> > keyring L2L_B
> > match identity address 20.2.2.2 255.255.255.255
> > local-address Loopback1
> > !
> > !
> > crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
> > !
> > crypto map crypmap local-address Loopback0
> > crypto map crypmap 1 ipsec-isakmp
> > set peer 20.1.1.2
> > set transform-set Tra_L2L_A
> > set isakmp-profile L2L_A
> > match address 101
> > reverse-route
> > crypto map crypmap 10 ipsec-isakmp
> > set peer 20.2.2.2
> > set transform-set Tra_L2L_A
> > set isakmp-profile L2L_B
> > match address 102
> > reverse-route
> > !
> > !
> > !
> > !
> > !
> > interface Loopback0
> > ip address 10.1.1.1 255.255.255.252
> > crypto map crypmap
> > !
> > !
> > interface GigabitEthernet0/0/0.100
> > description #### Global Internet ####
> > encapsulation dot1Q 100
> > ip address 10.2.2.1 255.255.255.0
> > crypto map crypmap
> > !
> > !
> > interface GigabitEthernet0/0/1.300
> > encapsulation dot1Q 300
> > ip address 192.168.100.1 255.255.255.0
> > !
> > o
> > !
> > !
> > router eigrp 100
> > network 10.0.0.0
> > !
> > !
> > no ip http server
> > no ip http secure-server
> > ip route 0.0.0.0 0.0.0.0 10.2.2.2
> > ip route 172.16.1.0 255.255.255.0 10.1.1.2 name TEST_CUST_A
> > access-list 101 permit ip 192.168.100.0 0.0.0.255 any
> > access-list 101 deny ip any any
> >
> >
> > Thanks for the help,
> > Cheers
> > Sara
> >
> > On Fri, Nov 4, 2011 at 12:39 PM, Joseph L. Brunner
> > <joe_at_affirmedsystems.com>wrote:
> >
> >> Hi Sarad,
> >>
> >> As I stated, you need multiple loopbacks that have public IP's (even
> /30's
> >> out of say a /24 routed to the real INTERNET FACING INTERFACE) and bind
> >> UNIQUE CRYPTO MAP's to each of those interfaces.
> >>
> >> Then, as you stated you can't change customer config - so GRE <-> GRE
> with
> >> EIGRP for routing is out of this design (and match gre source loopback
> to
> >> destination peer in ipsec acl)... so now you have to allow in your
> design
> >> for STATIC routes for the interesting traffic for each vpn to go to the
> >> loopback and "get on the vpn)
> >>
> >> Please use this...
> >>
> >> Int loop200
> >> Crypto map map-loop200
> >> Ip addr 200.200.200.199 255.255.255.248
> >>
> >> Ip route 10.10.10.0 255.255.255.0 200.200.200.200 name
> >> vpndestination1-subnet
> >>
> >> Cry map map-loop200 1 ipsec-isakmp
> >> Set peer 18.19.20.21
> >> Match address vpndestination1
> >> Set transform ESP-3DES-MD5-SHA
> >>
> >> ip access-list extended vpndestination1
> >> permit 10.20.20.0 0.0.0.0 10.10.10.0 0.0.0.255
> >>
> >> I have may have forgotten the correct next hop for the static route
> (it's
> >> been since 2005 I had to do it this way) last I recall it works when
> use an
> >> ip in the subnet of the loopback, but not necessarily THE LOOPBACK IP.
> >>
> >> It also worked, IHMM, when just got the traffic across the loopback
> where
> >> the crypto map is set - like
> >>
> >> Int loop200
> >> ip vrf forwarding special-routes
> >> ip route 200.200.200.200 255.255.255.248
> >>
> >> ip route vrf special-routes 0.0.0.0 0.0.0.0 int g0/1 200.201.201.201
> >>
> >> I'm sure you can see my vrf way of making a router route "outside to the
> >> loopback to itself first" LOL
> >>
> >> If not - email me and we'll do this together on gotoassist
> >>
> >> -Joe
> >>
> >>
> >> -----Original Message-----
> >> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> >> Sarad
> >> Sent: Thursday, November 03, 2011 9:05 PM
> >> To: Piotr Matusiak
> >> Cc: Cisco certification
> >> Subject: Re: IPSEC site to site VPN with loopback interface issue
> >>
> >> Hi Piotr,
> >>
> >> Thank you for your reply it works, But still it's not 100% solved my
> issue.
> >> As I need to have multiple Loopback at the head end termination IPSEC
> >> tunnels to different sites. with this command we can have only one
> >> interface terminating the VPN. Is there a way I can achieve that I went
> >> through many documentation but still couldnt find a solution.
> >>
> >> Thank you for the useful reply.
> >>
> >> Cheers
> >>
> >> Saranga
> >>
> >> On Thu, Nov 3, 2011 at 8:03 PM, Piotr Matusiak <pitt2k_at_gmail.com>
> wrote:
> >>
> >>> Hi Sarad,
> >>>
> >>> Unconfigure crypto map on loopback0 interface and add command 'crypto
> >>> map crypmap local-address lo0' to your config on both routers.
> >>> Regards,
> >>> --
> >>> Piotr Matusiak
> >>> CCIE #19860 (R&S, Security), CCSI #33705
> >>> Technical Instructor
> >>> website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
> <
> >> http://www.micronicstraining.com/>
> >>> blog: www.ccie1.com
> >>>
> >>> If you can't explain it simply, you don't understand it well enough -
> >>> Albert Einstein
> >>>
> >>>
> >>> 2011/11/3 Sarad <tosara_at_gmail.com>
> >>>
> >>>> Hi Guys,
> >>>>
> >>>> I am trying to set up a IPSEC site to site VPN with multiple end point
> >> at
> >>>> the head end. To do that I should be able to terminate these VPN on a
> >>>> loopback address, I tried configring it the loopback but eventhough
> >> tunnel
> >>>> set up correctly no traffic go throgh the tunnel. But when I change it
> >>>> back
> >>>> to a phisical interface it works without any issue with the same
> >>>> configuration.
> >>>>
> >>>>
> >>>> *Head end config*
> >>>> **
> >>>>
> >>>>
> >>>> hostname TEST_VPN_ASR
> >>>> !
> >>>> aaa new-model
> >>>> !
> >>>> !
> >>>> aaa authentication login userauthen local
> >>>> aaa authorization network groupauthor local
> >>>> !
> >>>> !
> >>>> !
> >>>> !
> >>>> !
> >>>> aaa session-id common
> >>>> !
> >>>> !
> >>>> !
> >>>> !
> >>>> crypto keyring L2L_A
> >>>> pre-shared-key address 20.1.1.2 key test123
> >>>> !
> >>>> crypto isakmp policy 1
> >>>> encr 3des
> >>>> authentication pre-share
> >>>> group 2
> >>>>
> >>>> crypto isakmp profile L2L_A
> >>>> keyring L2L_A
> >>>> match identity address 20.1.1.2 255.255.255.255
> >>>> local-address Loopback0
> >>>> !
> >>>> !
> >>>> crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
> >>>> !
> >>>> crypto map crypmap 1 ipsec-isakmp
> >>>> set peer 20.1.1.2
> >>>> set transform-set Tra_L2L_A
> >>>> set isakmp-profile L2L_A
> >>>> match address 101
> >>>> reverse-route
> >>>> !
> >>>> !
> >>>> !
> >>>> !
> >>>> !
> >>>> interface Loopback0
> >>>> ip address 10.1.1.1 255.255.255.248
> >>>> crypto map crypmap
> >>>> !
> >>>> interface Loopback1
> >>>> ip address 10.1.1.9 255.255.255.248
> >>>> !
> >>>> interface Loopback2
> >>>> ip address 10.1.1.17 255.255.255.248
> >>>> !
> >>>> interface Loopback100
> >>>> ip address 200.200.200.200 255.255.255.0
> >>>> !
> >>>> !
> >>>> interface GigabitEthernet0/0/0.100
> >>>> description #### Global Internet ####
> >>>> encapsulation dot1Q 100
> >>>> ip address 10.2.2.1 255.255.255.0
> >>>> crypto map crypmap
> >>>> !
> >>>> !
> >>>> router eigrp 100
> >>>> network 10.0.0.0
> >>>> !
> >>>> ip route 0.0.0.0 0.0.0.0 10.2.2.2
> >>>> !
> >>>> logging esm config
> >>>> access-list 101 permit ip 200.200.200.0 0.0.0.255 210.210.210.0
> >> 0.0.0.255
> >>>> access-list 101 permit ip 192.168.0.0 0.0.255.255 any
> >>>> !
> >>>> !
> >>>> !
> >>>> Cheers
> >>>> Sara
> >>>>
> >>>>
> >>>> Blogs and organic groups at http://www.ccie.net
> >>>>
> >>>>
> _______________________________________________________________________
> >>>> Subscription information may be found at:
> >>>> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sat Nov 05 2011 - 01:38:16 ART
This archive was generated by hypermail 2.2.0 : Thu Dec 01 2011 - 06:29:31 ART