Re: IPSEC site to site VPN with loopback interface issue

Hi All,

Manage to get it work By applying a policy map to the inside interface of
the head end router. But it's a awful looking config to put it on the
production :D. mhhhhhhhhhhhhh Wonder whether there is any otherway better
than this, Config change I did ad follows,

!
interface Serial1/3
 ip address 192.168.100.1 255.255.255.0
 ip policy route-map TEST
 serial restart-delay 0
 clock rate 64000

route-map TEST permit 10
 match ip address 101 <- Interesting traffic access list
 set interface Loopback0

Thanks guys for your time

Cheers
Sara

On Sat, Nov 5, 2011 at 1:38 AM, Sarad <tosara_at_gmail.com> wrote:

> Hi David,
>
> Sorry I was trying too many changes and posted the incorect config,
> Following are the configs of two routers
>
>
>
> ---------------------Head end---------------------------------
>
> crypto keyring L2L_A
> pre-shared-key address 10.2.2.2 key test123
>
> !
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
> crypto isakmp profile L2L_A
> keyring L2L_A
> match identity address 10.2.2.2 255.255.255.255
> !
> !
> crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
> !
> crypto map crypmap 1 ipsec-isakmp
> set peer 10.2.2.2
>
> set transform-set Tra_L2L_A
> set isakmp-profile L2L_A
> match address 101
> !
> !
> !
> !
> interface Loopback0
> ip address 10.1.1.1 255.255.255.252
> crypto map crypmap
> !
> interface FastEthernet0/0
> ip address 155.1.37.3 255.255.255.0
> shutdown
> speed 100
> full-duplex
> !
> interface FastEthernet0/1
> no ip address
> shutdown
> duplex auto
> speed auto
> !
> interface Serial1/0
> no ip address
> encapsulation frame-relay
> shutdown
> serial restart-delay 0
> !
> interface Serial1/0.1 point-to-point
> ip address 155.1.0.3 255.255.255.0
> frame-relay interface-dlci 305
> !
> interface Serial1/1
> no ip address
> shutdown
> serial restart-delay 0
> !
> interface Serial1/2
> ip address 10.2.2.1 255.255.255.0
> serial restart-delay 0
> clock rate 64000
> !
> interface Serial1/3
> ip address 192.168.100.1 255.255.255.0
> serial restart-delay 0
> clock rate 64000
> !
> router eigrp 100
> network 155.1.0.0
> no auto-summary
>
> !
> ip route 0.0.0.0 0.0.0.0 10.2.2.2
> ip route 172.16.1.0 255.255.255.0 10.1.1.2
> !
> !
> no ip http server
> no ip http secure-server
> !
> access-list 101 permit ip 192.168.100.0 0.0.0.255 any
> access-list 101 deny ip any any
>
>
>
>
> ------------------------- remote ------------------------------
> crypto keyring L2L_A
> pre-shared-key address 10.1.1.1 key test123
>
> !
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
> crypto isakmp profile L2L_A
> keyring L2L_A
> match identity address 10.1.1.1 255.255.255.255
> !
> !
> crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
> !
> crypto map crypmap 1 ipsec-isakmp
> set peer 10.1.1.1
>
> set transform-set Tra_L2L_A
> set isakmp-profile L2L_A
> match address 101
> reverse-route
> !
> !
> !
> !
> interface Loopback0
> ip address 172.16.1.1 255.255.255.0
> !
> i
> interface Serial0/1
> ip address 10.2.2.2 255.255.255.0
> clock rate 2000000
> crypto map crypmap
> !
> !
> ip route 0.0.0.0 0.0.0.0 10.2.2.1
> !
> !
> !
> access-list 101 permit ip any 192.168.100.0 0.0.0.255
>
>
> |
>
>
> I can see encrypted traffic flows from remote end to the head end but no
> return traffic from the headend. I still couldnt get this traffic routed
> via the loopback.
>
> Yes as you pointed out this will be a awful solution that's the main
> reason I posted this here in this forum coz I can get the openion from more
> experience people. I could not find any Cisco documentation for this kind
> of a configuration. My real configuration will be VRF aware VPN where
> traffic comming from internet terminating to multiple user vrfs. I got it
> working with a single puplic IP, But checking whether I can do it with
> multiple public IPs, Thanks for your thoughts.
>
> cheers
>
> Sara
>
>
>
>
>
>
>
>
>
> On Fri, Nov 4, 2011 at 10:48 PM, David Bass <davidbass570_at_gmail.com>wrote:
>
>> Your crypto config is still not quite right - you have the map on the
>> physical and loopback interface.
>>
>> Have you thought about natting this as an alternative solution? It looks
>> like you know the peer address (all statically configured tunnels), so
>> should be easy enough to do a policy nat. This assumes a couple things of
>> course...
>>
>> Either way you end up with a somewhat kludgy solution. Why not just do
>> this right and migrate your customers to the new solution properly?
>>
>>
>>
>> On Nov 3, 2011, at 10:48 PM, Sarad <tosara_at_gmail.com> wrote:
>>
>> > Hi Joseph,
>> >
>> > Thanks for the reply I tried with a static route to the loopback subnet
>> but
>> > still couldnt get through the traffic.
>> > Following is the config
>> >
>> > !
>> > !
>> > crypto keyring L2L_A
>> > pre-shared-key address 20.1.1.2 key test123
>> > crypto keyring L2L_B
>> > pre-shared-key address 20.2.2.2 key test123
>> > !
>> > crypto isakmp policy 1
>> > encr 3des
>> > authentication pre-share
>> > group 2
>> > crypto isakmp profile L2L_A
>> > vrf CUST_A
>> > keyring L2L_A
>> > match identity address 20.1.1.2 255.255.255.255
>> > local-address Loopback0
>> > crypto isakmp profile L2L_B
>> > vrf CUST_B
>> > keyring L2L_B
>> > match identity address 20.2.2.2 255.255.255.255
>> > local-address Loopback1
>> > !
>> > !
>> > crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
>> > !
>> > crypto map crypmap local-address Loopback0
>> > crypto map crypmap 1 ipsec-isakmp
>> > set peer 20.1.1.2
>> > set transform-set Tra_L2L_A
>> > set isakmp-profile L2L_A
>> > match address 101
>> > reverse-route
>> > crypto map crypmap 10 ipsec-isakmp
>> > set peer 20.2.2.2
>> > set transform-set Tra_L2L_A
>> > set isakmp-profile L2L_B
>> > match address 102
>> > reverse-route
>> > !
>> > !
>> > !
>> > !
>> > !
>> > interface Loopback0
>> > ip address 10.1.1.1 255.255.255.252
>> > crypto map crypmap
>> > !
>> > !
>> > interface GigabitEthernet0/0/0.100
>> > description #### Global Internet ####
>> > encapsulation dot1Q 100
>> > ip address 10.2.2.1 255.255.255.0
>> > crypto map crypmap
>> > !
>> > !
>> > interface GigabitEthernet0/0/1.300
>> > encapsulation dot1Q 300
>> > ip address 192.168.100.1 255.255.255.0
>> > !
>> > o
>> > !
>> > !
>> > router eigrp 100
>> > network 10.0.0.0
>> > !
>> > !
>> > no ip http server
>> > no ip http secure-server
>> > ip route 0.0.0.0 0.0.0.0 10.2.2.2
>> > ip route 172.16.1.0 255.255.255.0 10.1.1.2 name TEST_CUST_A
>> > access-list 101 permit ip 192.168.100.0 0.0.0.255 any
>> > access-list 101 deny ip any any
>> >
>> >
>> > Thanks for the help,
>> > Cheers
>> > Sara
>> >
>> > On Fri, Nov 4, 2011 at 12:39 PM, Joseph L. Brunner
>> > <joe_at_affirmedsystems.com>wrote:
>> >
>> >> Hi Sarad,
>> >>
>> >> As I stated, you need multiple loopbacks that have public IP's (even
>> /30's
>> >> out of say a /24 routed to the real INTERNET FACING INTERFACE) and bind
>> >> UNIQUE CRYPTO MAP's to each of those interfaces.
>> >>
>> >> Then, as you stated you can't change customer config - so GRE <-> GRE
>> with
>> >> EIGRP for routing is out of this design (and match gre source loopback
>> to
>> >> destination peer in ipsec acl)... so now you have to allow in your
>> design
>> >> for STATIC routes for the interesting traffic for each vpn to go to the
>> >> loopback and "get on the vpn)
>> >>
>> >> Please use this...
>> >>
>> >> Int loop200
>> >> Crypto map map-loop200
>> >> Ip addr 200.200.200.199 255.255.255.248
>> >>
>> >> Ip route 10.10.10.0 255.255.255.0 200.200.200.200 name
>> >> vpndestination1-subnet
>> >>
>> >> Cry map map-loop200 1 ipsec-isakmp
>> >> Set peer 18.19.20.21
>> >> Match address vpndestination1
>> >> Set transform ESP-3DES-MD5-SHA
>> >>
>> >> ip access-list extended vpndestination1
>> >> permit 10.20.20.0 0.0.0.0 10.10.10.0 0.0.0.255
>> >>
>> >> I have may have forgotten the correct next hop for the static route
>> (it's
>> >> been since 2005 I had to do it this way) last I recall it works when
>> use an
>> >> ip in the subnet of the loopback, but not necessarily THE LOOPBACK IP.
>> >>
>> >> It also worked, IHMM, when just got the traffic across the loopback
>> where
>> >> the crypto map is set - like
>> >>
>> >> Int loop200
>> >> ip vrf forwarding special-routes
>> >> ip route 200.200.200.200 255.255.255.248
>> >>
>> >> ip route vrf special-routes 0.0.0.0 0.0.0.0 int g0/1 200.201.201.201
>> >>
>> >> I'm sure you can see my vrf way of making a router route "outside to
>> the
>> >> loopback to itself first" LOL
>> >>
>> >> If not - email me and we'll do this together on gotoassist
>> >>
>> >> -Joe
>> >>
>> >>
>> >> -----Original Message-----
>> >> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
>> Of
>> >> Sarad
>> >> Sent: Thursday, November 03, 2011 9:05 PM
>> >> To: Piotr Matusiak
>> >> Cc: Cisco certification
>> >> Subject: Re: IPSEC site to site VPN with loopback interface issue
>> >>
>> >> Hi Piotr,
>> >>
>> >> Thank you for your reply it works, But still it's not 100% solved my
>> issue.
>> >> As I need to have multiple Loopback at the head end termination IPSEC
>> >> tunnels to different sites. with this command we can have only one
>> >> interface terminating the VPN. Is there a way I can achieve that I went
>> >> through many documentation but still couldnt find a solution.
>> >>
>> >> Thank you for the useful reply.
>> >>
>> >> Cheers
>> >>
>> >> Saranga
>> >>
>> >> On Thu, Nov 3, 2011 at 8:03 PM, Piotr Matusiak <pitt2k_at_gmail.com>
>> wrote:
>> >>
>> >>> Hi Sarad,
>> >>>
>> >>> Unconfigure crypto map on loopback0 interface and add command 'crypto
>> >>> map crypmap local-address lo0' to your config on both routers.
>> >>> Regards,
>> >>> --
>> >>> Piotr Matusiak
>> >>> CCIE #19860 (R&S, Security), CCSI #33705
>> >>> Technical Instructor
>> >>> website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
>> <
>> >> http://www.micronicstraining.com/>
>> >>> blog: www.ccie1.com
>> >>>
>> >>> If you can't explain it simply, you don't understand it well enough -
>> >>> Albert Einstein
>> >>>
>> >>>
>> >>> 2011/11/3 Sarad <tosara_at_gmail.com>
>> >>>
>> >>>> Hi Guys,
>> >>>>
>> >>>> I am trying to set up a IPSEC site to site VPN with multiple end
>> point
>> >> at
>> >>>> the head end. To do that I should be able to terminate these VPN on a
>> >>>> loopback address, I tried configring it the loopback but eventhough
>> >> tunnel
>> >>>> set up correctly no traffic go throgh the tunnel. But when I change
>> it
>> >>>> back
>> >>>> to a phisical interface it works without any issue with the same
>> >>>> configuration.
>> >>>>
>> >>>>
>> >>>> *Head end config*
>> >>>> **
>> >>>>
>> >>>>
>> >>>> hostname TEST_VPN_ASR
>> >>>> !
>> >>>> aaa new-model
>> >>>> !
>> >>>> !
>> >>>> aaa authentication login userauthen local
>> >>>> aaa authorization network groupauthor local
>> >>>> !
>> >>>> !
>> >>>> !
>> >>>> !
>> >>>> !
>> >>>> aaa session-id common
>> >>>> !
>> >>>> !
>> >>>> !
>> >>>> !
>> >>>> crypto keyring L2L_A
>> >>>> pre-shared-key address 20.1.1.2 key test123
>> >>>> !
>> >>>> crypto isakmp policy 1
>> >>>> encr 3des
>> >>>> authentication pre-share
>> >>>> group 2
>> >>>>
>> >>>> crypto isakmp profile L2L_A
>> >>>> keyring L2L_A
>> >>>> match identity address 20.1.1.2 255.255.255.255
>> >>>> local-address Loopback0
>> >>>> !
>> >>>> !
>> >>>> crypto ipsec transform-set Tra_L2L_A esp-3des esp-sha-hmac
>> >>>> !
>> >>>> crypto map crypmap 1 ipsec-isakmp
>> >>>> set peer 20.1.1.2
>> >>>> set transform-set Tra_L2L_A
>> >>>> set isakmp-profile L2L_A
>> >>>> match address 101
>> >>>> reverse-route
>> >>>> !
>> >>>> !
>> >>>> !
>> >>>> !
>> >>>> !
>> >>>> interface Loopback0
>> >>>> ip address 10.1.1.1 255.255.255.248
>> >>>> crypto map crypmap
>> >>>> !
>> >>>> interface Loopback1
>> >>>> ip address 10.1.1.9 255.255.255.248
>> >>>> !
>> >>>> interface Loopback2
>> >>>> ip address 10.1.1.17 255.255.255.248
>> >>>> !
>> >>>> interface Loopback100
>> >>>> ip address 200.200.200.200 255.255.255.0
>> >>>> !
>> >>>> !
>> >>>> interface GigabitEthernet0/0/0.100
>> >>>> description #### Global Internet ####
>> >>>> encapsulation dot1Q 100
>> >>>> ip address 10.2.2.1 255.255.255.0
>> >>>> crypto map crypmap
>> >>>> !
>> >>>> !
>> >>>> router eigrp 100
>> >>>> network 10.0.0.0
>> >>>> !
>> >>>> ip route 0.0.0.0 0.0.0.0 10.2.2.2
>> >>>> !
>> >>>> logging esm config
>> >>>> access-list 101 permit ip 200.200.200.0 0.0.0.255 210.210.210.0
>> >> 0.0.0.255
>> >>>> access-list 101 permit ip 192.168.0.0 0.0.255.255 any
>> >>>> !
>> >>>> !
>> >>>> !
>> >>>> Cheers
>> >>>> Sara
>> >>>>
>> >>>>
>> >>>> Blogs and organic groups at http://www.ccie.net
>> >>>>
>> >>>>
>> _______________________________________________________________________
>> >>>> Subscription information may be found at:
>> >>>> http://www.groupstudy.com/list/CCIELab.html
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat Nov 05 2011 - 01:49:29 ART