Using Secondary IP address as IPSEC Tunnel Source

Unanswered Question
Mar 12th, 2007

My company is in the process of converting our IP address to a different class C and would like to change our host IPSEC tunnel end point to something different ...THis has to be a slow cut over so I can i use this config for my interface and use the secondary as my IPSEC source.

interface FastEthernet0/1

ip address 208.74.x.x secondary

ip address 67.132.x.x

no ip proxy-arp

speed 100


no cdp enable

crypto map xxx

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
abdel_n Tue, 03/13/2007 - 09:48


You even do not need to set a secondary ip address.

You can use single IKE identity so the VPN peer is identified by all of its peers with a single IKE identity which is achieved by using a loopback address (always up) that must be advertised by your routing protocol or by the mean of a static route.

This will save resources in the case when crypto map is bound to different interfaces for access link redundancy or in your case when you are planning to change the interface ip address, so the IKE SA will exist between the two peers regardless of which ip address is used.

In the other side you can point IPSec ?set peer? command to the peer loopback interface.

Additional features might help:

- IPSec keepalive/ DPD (Dead Peer Detection), this will intercept peer failure at time.

- Another feature that will clear the IPSec SA if a maximum idle timeout is reached.

I successfully tested the configuration, take a look at routers configuration file.

I hope I answered your question.

Have a good work,


pduleski Wed, 03/14/2007 - 08:38

I have built a similar network in my lab and can not get my IPSEC GRE Tunnels to come up using the the Loopback interface in RTR2 as the source of my Crypto map and RTR1 using this loopback address as the dest. See attached configs.

abdel_n Thu, 03/15/2007 - 03:51


- Make sure that the ISAKMP, crypto map, tunnel dest. ip in the remote router use the loopback interface of the router.(where you are planning to change the ip)

- Both crypto maps are bound to the physical interfaces.

- The traffic will be first tunneled using GRE then encrypted using IPSec, so make sure you have a route for traffic between sites to tunnel interfaces, and a route for the GRE traffic to the physical interfaces to trigger crypto maps.

Take a look at the enclosed file with more detailed explanation and troubleshooting.


pduleski Thu, 03/15/2007 - 05:42

Thank you....Looks like I'm going to need to purchase another Ethernet card for this router because I already have a crypto map applied to my ethernet port and i can only have one crypto map per interface...

Once i apply this command cypto map tor2 local-address loopback1 my other tunnels will go down.

abdel_n Thu, 03/15/2007 - 07:53


Try to just ping the peer interface ip, and check the command ?show ip int? for errors, a hardware error should be the last thing to think about!

It looks like at one side GRE tunnel cannot reach its configured ip destination address, so double check your routing statements.

By the way, if you have multiple VPN IPSec connections through one interface you can use different ISAKMP and IPSec policies within the same crypto map but with different sequence numbers (the lower the number, the higher the priority) and you can bypass the limitation of one crypto map per interface.

Good luck!


pduleski Thu, 03/15/2007 - 12:12

Yes I can do that but once I add this command cypto map xxx local address loopback 0 wouldn't my other tunnels that are using the physical ip address go down?


This Discussion