Hi Joseph,
:D thanks for the reply, can you please share the VRF way or point me to
any documentation,
Thanks again
Sara
On Sat, Nov 5, 2011 at 1:50 AM, Joseph L. Brunner
<joe_at_affirmedsystems.com>wrote:
> Yes like David said � integrate your clients correctly�****
>
> ** **
>
> As posted I have a VRF way to do this � but again � there has to be
> production outages to support a change ****
>
> ** **
>
> *From:* Sarad [mailto:tosara_at_gmail.com]
> *Sent:* Friday, November 04, 2011 10:49 AM
> *To:* David Bass
> *Cc:* Joseph L. Brunner; Piotr Matusiak; Cisco certification
>
> *Subject:* Re: IPSEC site to site VPN with loopback interface issue****
>
> ** **
>
> Hi All,****
>
> ****
>
> Manage to get it work By applying a policy map to the inside interface of
> the head end router. But it's a awful looking config to put it on the
> production :D. mhhhhhhhhhhhhh Wonder whether there is any otherway better
> than this, Config change I did ad follows,****
>
> ****
>
> !
> interface Serial1/3
> ip address 192.168.100.1 255.255.255.0
> ip policy route-map TEST
> serial restart-delay 0
> clock rate 64000****
>
> ****
>
> ****
>
> route-map TEST permit 10
> match ip address 101 <- Interesting traffic access list
> set interface Loopback0****
>
> ****
>
> Thanks guys for your time****
>
> ****
>
> Cheers****
>
> Sara****
>
> ****
>
>
>
> ****
>
> On Sat, Nov 5, 2011 at 1:38 AM, Sarad <tosara_at_gmail.com> wrote:****
>
> Hi David,****
>
> ****
>
> Sorry I was trying too many changes and posted the incorect config,
> Following are the configs of two routers****
>
> ****
>
> ****
>
> ****
>
> ---------------------Head end---------------------------------****
>
> ****
>
> crypto keyring L2L_A
> pre-shared-key address 10.2.2.2 key test123****
>
>
> !
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
> crypto isakmp profile L2L_A
> keyring L2L_A****
>
> match identity address 10.2.2.2 255.255.255.255 ****
>
> !
> !
> crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
> !
> crypto map crypmap 1 ipsec-isakmp ****
>
> set peer 10.2.2.2****
>
>
> set transform-set Tra_L2L_A
> set isakmp-profile L2L_A
> match address 101****
>
> !
> !
> !
> !
> interface Loopback0
> ip address 10.1.1.1 255.255.255.252
> crypto map crypmap
> !****
>
> interface FastEthernet0/0
> ip address 155.1.37.3 255.255.255.0
> shutdown
> speed 100
> full-duplex
> !
> interface FastEthernet0/1
> no ip address
> shutdown
> duplex auto
> speed auto
> !
> interface Serial1/0
> no ip address
> encapsulation frame-relay
> shutdown
> serial restart-delay 0
> !
> interface Serial1/0.1 point-to-point
> ip address 155.1.0.3 255.255.255.0
> frame-relay interface-dlci 305
> !
> interface Serial1/1
> no ip address
> shutdown
> serial restart-delay 0
> !
> interface Serial1/2
> ip address 10.2.2.1 255.255.255.0
> serial restart-delay 0
> clock rate 64000
> !
> interface Serial1/3
> ip address 192.168.100.1 255.255.255.0
> serial restart-delay 0
> clock rate 64000
> !
> router eigrp 100
> network 155.1.0.0
> no auto-summary****
>
>
> !
> ip route 0.0.0.0 0.0.0.0 10.2.2.2****
>
> ip route 172.16.1.0 255.255.255.0 10.1.1.2****
>
> !
> !
> no ip http server
> no ip http secure-server****
>
> !
> access-list 101 permit ip 192.168.100.0 0.0.0.255 any
> access-list 101 deny ip any any****
>
> ****
>
> ****
>
> ****
>
> ****
>
> ------------------------- remote ------------------------------****
>
> crypto keyring L2L_A
> pre-shared-key address 10.1.1.1 key test123****
>
>
> !
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
> crypto isakmp profile L2L_A
> keyring L2L_A****
>
> match identity address 10.1.1.1 255.255.255.255 ****
>
> !
> !
> crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
> !
> crypto map crypmap 1 ipsec-isakmp ****
>
> set peer 10.1.1.1****
>
>
> set transform-set Tra_L2L_A
> set isakmp-profile L2L_A
> match address 101
> reverse-route
> !
> !
> !
> !****
>
> interface Loopback0
> ip address 172.16.1.1 255.255.255.0
> !
> i
> interface Serial0/1
> ip address 10.2.2.2 255.255.255.0
> clock rate 2000000
> crypto map crypmap
> !****
>
> !
> ip route 0.0.0.0 0.0.0.0 10.2.2.1
> !
> !****
>
> !
> access-list 101 permit ip any 192.168.100.0 0.0.0.255****
>
> ****
>
> ****
>
> |****
>
> ****
>
> ****
>
> I can see encrypted traffic flows from remote end to the head end but no
> return traffic from the headend. I still couldnt get this traffic routed
> via the loopback. ****
>
> ****
>
> Yes as you pointed out this will be a awful solution that's the main
> reason I posted this here in this forum coz I can get the openion from more
> experience people. I could not find any Cisco documentation for this kind
> of a configuration. My real configuration will be VRF aware VPN where
> traffic comming from internet terminating to multiple user vrfs. I got it
> working with a single puplic IP, But checking whether I can do it with
> multiple public IPs, Thanks for your thoughts.****
>
> ****
>
> cheers****
>
> ****
>
> Sara****
>
> ****
>
> ****
>
> ****
>
> ****
>
> ****
>
> ****
>
>
>
> ****
>
> On Fri, Nov 4, 2011 at 10:48 PM, David Bass <davidbass570_at_gmail.com>
> wrote:****
>
> Your crypto config is still not quite right - you have the map on the
> physical and loopback interface.
>
> Have you thought about natting this as an alternative solution? It looks
> like you know the peer address (all statically configured tunnels), so
> should be easy enough to do a policy nat. This assumes a couple things of
> course...
>
> Either way you end up with a somewhat kludgy solution. Why not just do
> this right and migrate your customers to the new solution properly?****
>
>
>
>
> On Nov 3, 2011, at 10:48 PM, Sarad <tosara_at_gmail.com> wrote:
>
> > Hi Joseph,
> >
> > Thanks for the reply I tried with a static route to the loopback subnet
> but
> > still couldnt get through the traffic.
> > Following is the config
> >
> > !
> > !
> > crypto keyring L2L_A
> > pre-shared-key address 20.1.1.2 key test123
> > crypto keyring L2L_B
> > pre-shared-key address 20.2.2.2 key test123
> > !
> > crypto isakmp policy 1
> > encr 3des
> > authentication pre-share
> > group 2
> > crypto isakmp profile L2L_A
> > vrf CUST_A
> > keyring L2L_A
> > match identity address 20.1.1.2 255.255.255.255
> > local-address Loopback0
> > crypto isakmp profile L2L_B
> > vrf CUST_B
> > keyring L2L_B
> > match identity address 20.2.2.2 255.255.255.255
> > local-address Loopback1
> > !
> > !
> > crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
> > !
> > crypto map crypmap local-address Loopback0
> > crypto map crypmap 1 ipsec-isakmp
> > set peer 20.1.1.2
> > set transform-set Tra_L2L_A
> > set isakmp-profile L2L_A
> > match address 101
> > reverse-route
> > crypto map crypmap 10 ipsec-isakmp
> > set peer 20.2.2.2
> > set transform-set Tra_L2L_A
> > set isakmp-profile L2L_B
> > match address 102
> > reverse-route
> > !
> > !
> > !
> > !
> > !
> > interface Loopback0
> > ip address 10.1.1.1 255.255.255.252
> > crypto map crypmap
> > !
> > !
> > interface GigabitEthernet0/0/0.100
> > description #### Global Internet ####
> > encapsulation dot1Q 100
> > ip address 10.2.2.1 255.255.255.0
> > crypto map crypmap
> > !
> > !
> > interface GigabitEthernet0/0/1.300
> > encapsulation dot1Q 300
> > ip address 192.168.100.1 255.255.255.0
> > !
> > o
> > !
> > !
> > router eigrp 100
> > network 10.0.0.0
> > !
> > !
> > no ip http server
> > no ip http secure-server
> > ip route 0.0.0.0 0.0.0.0 10.2.2.2
> > ip route 172.16.1.0 255.255.255.0 10.1.1.2 name TEST_CUST_A
> > access-list 101 permit ip 192.168.100.0 0.0.0.255 any
> > access-list 101 deny ip any any
> >
> >
> > Thanks for the help,
> > Cheers
> > Sara
> >
> > On Fri, Nov 4, 2011 at 12:39 PM, Joseph L. Brunner
> > <joe_at_affirmedsystems.com>wrote:
> >
> >> Hi Sarad,
> >>
> >> As I stated, you need multiple loopbacks that have public IP's (even
> /30's
> >> out of say a /24 routed to the real INTERNET FACING INTERFACE) and bind
> >> UNIQUE CRYPTO MAP's to each of those interfaces.
> >>
> >> Then, as you stated you can't change customer config - so GRE <-> GRE
> with
> >> EIGRP for routing is out of this design (and match gre source loopback
> to
> >> destination peer in ipsec acl)... so now you have to allow in your
> design
> >> for STATIC routes for the interesting traffic for each vpn to go to the
> >> loopback and "get on the vpn)
> >>
> >> Please use this...
> >>
> >> Int loop200
> >> Crypto map map-loop200
> >> Ip addr 200.200.200.199 255.255.255.248
> >>
> >> Ip route 10.10.10.0 255.255.255.0 200.200.200.200 name
> >> vpndestination1-subnet
> >>
> >> Cry map map-loop200 1 ipsec-isakmp
> >> Set peer 18.19.20.21
> >> Match address vpndestination1
> >> Set transform ESP-3DES-MD5-SHA
> >>
> >> ip access-list extended vpndestination1
> >> permit 10.20.20.0 0.0.0.0 10.10.10.0 0.0.0.255
> >>
> >> I have may have forgotten the correct next hop for the static route
> (it's
> >> been since 2005 I had to do it this way) last I recall it works when
> use an
> >> ip in the subnet of the loopback, but not necessarily THE LOOPBACK IP.
> >>
> >> It also worked, IHMM, when just got the traffic across the loopback
> where
> >> the crypto map is set - like
> >>
> >> Int loop200
> >> ip vrf forwarding special-routes
> >> ip route 200.200.200.200 255.255.255.248
> >>
> >> ip route vrf special-routes 0.0.0.0 0.0.0.0 int g0/1 200.201.201.201
> >>
> >> I'm sure you can see my vrf way of making a router route "outside to the
> >> loopback to itself first" LOL
> >>
> >> If not - email me and we'll do this together on gotoassist
> >>
> >> -Joe
> >>
> >>
> >> -----Original Message-----
> >> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> >> Sarad
> >> Sent: Thursday, November 03, 2011 9:05 PM
> >> To: Piotr Matusiak
> >> Cc: Cisco certification
> >> Subject: Re: IPSEC site to site VPN with loopback interface issue
> >>
> >> Hi Piotr,
> >>
> >> Thank you for your reply it works, But still it's not 100% solved my
> issue.
> >> As I need to have multiple Loopback at the head end termination IPSEC
> >> tunnels to different sites. with this command we can have only one
> >> interface terminating the VPN. Is there a way I can achieve that I went
> >> through many documentation but still couldnt find a solution.
> >>
> >> Thank you for the useful reply.
> >>
> >> Cheers
> >>
> >> Saranga
> >>
> >> On Thu, Nov 3, 2011 at 8:03 PM, Piotr Matusiak <pitt2k_at_gmail.com>
> wrote:
> >>
> >>> Hi Sarad,
> >>>
> >>> Unconfigure crypto map on loopback0 interface and add command 'crypto
> >>> map crypmap local-address lo0' to your config on both routers.
> >>> Regards,
> >>> --
> >>> Piotr Matusiak
> >>> CCIE #19860 (R&S, Security), CCSI #33705
> >>> Technical Instructor
> >>> website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
> <
> >> http://www.micronicstraining.com/>
> >>> blog: www.ccie1.com
> >>>
> >>> If you can't explain it simply, you don't understand it well enough -
> >>> Albert Einstein
> >>>
> >>>
> >>> 2011/11/3 Sarad <tosara_at_gmail.com>
> >>>
> >>>> Hi Guys,
> >>>>
> >>>> I am trying to set up a IPSEC site to site VPN with multiple end point
> >> at
> >>>> the head end. To do that I should be able to terminate these VPN on a
> >>>> loopback address, I tried configring it the loopback but eventhough
> >> tunnel
> >>>> set up correctly no traffic go throgh the tunnel. But when I change it
> >>>> back
> >>>> to a phisical interface it works without any issue with the same
> >>>> configuration.
> >>>>
> >>>>
> >>>> *Head end config*
> >>>> **
> >>>>
> >>>>
> >>>> hostname TEST_VPN_ASR
> >>>> !
> >>>> aaa new-model
> >>>> !
> >>>> !
> >>>> aaa authentication login userauthen local
> >>>> aaa authorization network groupauthor local
> >>>> !
> >>>> !
> >>>> !
> >>>> !
> >>>> !
> >>>> aaa session-id common
> >>>> !
> >>>> !
> >>>> !
> >>>> !
> >>>> crypto keyring L2L_A
> >>>> pre-shared-key address 20.1.1.2 key test123
> >>>> !
> >>>> crypto isakmp policy 1
> >>>> encr 3des
> >>>> authentication pre-share
> >>>> group 2
> >>>>
> >>>> crypto isakmp profile L2L_A
> >>>> keyring L2L_A
> >>>> match identity address 20.1.1.2 255.255.255.255
> >>>> local-address Loopback0
> >>>> !
> >>>> !
> >>>> crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
> >>>> !
> >>>> crypto map crypmap 1 ipsec-isakmp
> >>>> set peer 20.1.1.2
> >>>> set transform-set Tra_L2L_A
> >>>> set isakmp-profile L2L_A
> >>>> match address 101
> >>>> reverse-route
> >>>> !
> >>>> !
> >>>> !
> >>>> !
> >>>> !
> >>>> interface Loopback0
> >>>> ip address 10.1.1.1 255.255.255.248
> >>>> crypto map crypmap
> >>>> !
> >>>> interface Loopback1
> >>>> ip address 10.1.1.9 255.255.255.248
> >>>> !
> >>>> interface Loopback2
> >>>> ip address 10.1.1.17 255.255.255.248
> >>>> !
> >>>> interface Loopback100
> >>>> ip address 200.200.200.200 255.255.255.0
> >>>> !
> >>>> !
> >>>> interface GigabitEthernet0/0/0.100
> >>>> description #### Global Internet ####
> >>>> encapsulation dot1Q 100
> >>>> ip address 10.2.2.1 255.255.255.0
> >>>> crypto map crypmap
> >>>> !
> >>>> !
> >>>> router eigrp 100
> >>>> network 10.0.0.0
> >>>> !
> >>>> ip route 0.0.0.0 0.0.0.0 10.2.2.2
> >>>> !
> >>>> logging esm config
> >>>> access-list 101 permit ip 200.200.200.0 0.0.0.255 210.210.210.0
> >> 0.0.0.255
> >>>> access-list 101 permit ip 192.168.0.0 0.0.255.255 any
> >>>> !
> >>>> !
> >>>> !
> >>>> Cheers
> >>>> Sara
> >>>>
> >>>>
> >>>> Blogs and organic groups at http://www.ccie.net
> >>>>
> >>>>
> _______________________________________________________________________
> >>>> Subscription information may be found at:
> >>>> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >****
>
> ** **
>
> ** **
Blogs and organic groups at http://www.ccie.net
Received on Sat Nov 05 2011 - 01:56:51 ART