cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4578
Views
0
Helpful
6
Replies

Using Secondary IP address as IPSEC Tunnel Source

pduleski
Level 1
Level 1

My company is in the process of converting our IP address to a different class C and would like to change our host IPSEC tunnel end point to something different ...THis has to be a slow cut over so I can i use this config for my interface and use the secondary as my IPSEC source.

interface FastEthernet0/1

ip address 208.74.x.x 255.255.255.128 secondary

ip address 67.132.x.x 255.255.255.224

no ip proxy-arp

speed 100

full-duplex

no cdp enable

crypto map xxx

6 Replies 6

abdel_n
Level 1
Level 1

Hello,

You even do not need to set a secondary ip address.

You can use single IKE identity so the VPN peer is identified by all of its peers with a single IKE identity which is achieved by using a loopback address (always up) that must be advertised by your routing protocol or by the mean of a static route.

This will save resources in the case when crypto map is bound to different interfaces for access link redundancy or in your case when you are planning to change the interface ip address, so the IKE SA will exist between the two peers regardless of which ip address is used.

In the other side you can point IPSec ?set peer? command to the peer loopback interface.

Additional features might help:

- IPSec keepalive/ DPD (Dead Peer Detection), this will intercept peer failure at time.

- Another feature that will clear the IPSec SA if a maximum idle timeout is reached.

I successfully tested the configuration, take a look at routers configuration file.

I hope I answered your question.

Have a good work,

AJN

I have built a similar network in my lab and can not get my IPSEC GRE Tunnels to come up using the the Loopback interface in RTR2 as the source of my Crypto map and RTR1 using this loopback address as the dest. See attached configs.

abdel_n
Level 1
Level 1

Hi,

- Make sure that the ISAKMP, crypto map, tunnel dest. ip in the remote router use the loopback interface of the router.(where you are planning to change the ip)

- Both crypto maps are bound to the physical interfaces.

- The traffic will be first tunneled using GRE then encrypted using IPSec, so make sure you have a route for traffic between sites to tunnel interfaces, and a route for the GRE traffic to the physical interfaces to trigger crypto maps.

Take a look at the enclosed file with more detailed explanation and troubleshooting.

AJN

Thank you....Looks like I'm going to need to purchase another Ethernet card for this router because I already have a crypto map applied to my ethernet port and i can only have one crypto map per interface...

Once i apply this command cypto map tor2 local-address loopback1 my other tunnels will go down.

abdel_n
Level 1
Level 1

Hello,

Try to just ping the peer interface ip, and check the command ?show ip int? for errors, a hardware error should be the last thing to think about!

It looks like at one side GRE tunnel cannot reach its configured ip destination address, so double check your routing statements.

By the way, if you have multiple VPN IPSec connections through one interface you can use different ISAKMP and IPSec policies within the same crypto map but with different sequence numbers (the lower the number, the higher the priority) and you can bypass the limitation of one crypto map per interface.

Good luck!

AJN

Yes I can do that but once I add this command cypto map xxx local address loopback 0 wouldn't my other tunnels that are using the physical ip address go down?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: