crypto applied on Loopback interface

Answered Question
Aug 31st, 2007

Hi,

The following is the config from one of our 2811 router, we applied crypto on loopback interface but its not working. Can you review the cofig and let us know the suggesstion as where else we can apply crypto MAP to VPN to work.

site#sh run

Building configuration...

Current configuration : 5956 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Site

!

boot-start-marker

boot-end-marker

!

enable secret cisco

!

no aaa new-model

!

resource policy

!

memory-size iomem 25

clock timezone EST -5

clock summer-time EDT recurring

no network-clock-participate wic 2

no network-clock-participate wic 3

ip subnet-zero

!

!

ip cef

no ip dhcp use vrf connected

!

controller T1 0/2/0

framing esf

linecode b8zs

cablelength short 133

channel-group 0 timeslots 1-24

!

controller T1 0/2/1

framing esf

linecode b8zs

cablelength short 133

channel-group 0 timeslots 1-24

!

controller T1 0/3/0

framing esf

linecode b8zs

cablelength short 133

channel-group 0 timeslots 1-24

!

controller T1 0/3/1

framing esf

linecode b8zs

cablelength short 133

channel-group 0 timeslots 1-24

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key wsld0829 address 66.78.246.175

!

!

crypto ipsec transform-set rtpset esp-3des esp-md5-hmac

!

crypto map rtp 10 ipsec-isakmp

set peer 66.78.246.175

set transform-set rtpset

match address 110

!

!

!

interface Loopback0

description **** IP Address of Multilink Serial Lines ****

ip address 168.88.110.200 255.255.255.252

crypto map rtp

!

interface Serial0/0/0

description **** To Sprint HCGS/987682//LB ****

no ip address

encapsulation ppp

no fair-queue

pulse-time 1

ppp multilink

crypto map rtp

!

interface Serial0/1/0

description **** To Sprint HCGS/987683//LB ****

no ip address

ip verify unicast reverse-path

no ip redirects

no ip unreachables

encapsulation ppp

no fair-queue

pulse-time 1

ppp multilink

!

interface Serial0/2/0:0

no ip address

ip verify unicast reverse-path

no ip redirects

no ip unreachables

encapsulation ppp

no fair-queue

pulse-time 1

ppp multilink

crypto map rtp

!

interface Serial0/2/1:0

no ip address

ip verify unicast reverse-path

no ip redirects

no ip unreachables

encapsulation ppp

no fair-queue

pulse-time 1

ppp multilink

crypto map rtp

!

interface Serial0/3/0:0

no ip address

ip verify unicast reverse-path

no ip redirects

no ip unreachables

encapsulation ppp

shutdown

no fair-queue

pulse-time 1

ppp multilink

!

interface Serial0/3/1:0

no ip address

ip verify unicast reverse-path

no ip redirects

no ip unreachables

encapsulation ppp

shutdown

no fair-queue

pulse-time 1

ppp multilink

!

interface Virtual-Template1

ip unnumbered Loopback0

ppp multilink

!

ip classless

ip route 0.0.0.0 0.0.0.0 160.81.110.209

ip route 200.3.201.0 255.255.255.0 207.40.33.100

ip route 203.13.189.0 255.255.255.0 207.40.33.100

!

ip http server

no ip http secure-server

!

access-list 110 remark Tunnel ACL

access-list 110 remark Allowing router loopback

access-list 110 permit ip host 168.88.110.200 67.210.111.204 0.0.0.15

access-list 110 remark Allowing IP3

access-list 110 permit ip host 207.41.32.106 65.210.126.240 0.0.0.15

access-list 110 remark Allowing devices

access-list 110 permit ip 208.3.187.0 0.0.0.15 65.210.126.240 0.0.0.15

access-list 110 permit ip 208.3.187.16 0.0.0.7 65.210.126.240 0.0.0.15

access-list 110 permit ip 208.3.187.24 0.0.0.1 65.210.126.240 0.0.0.15

dialer-list 1 protocol ip permit

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

password cisco

login local

!

end

Your suggestion will be highly appreciated.

Regards,

khan

I have this problem too.
0 votes
Correct Answer by jerrytozhang about 9 years 3 months ago

1: try to add the following command into your router.

multilink virtual-template 1

2: put "crypt map rtp" command into virtual-template 1 sub-configuation.

3: remove "crypt map rtp" command from all serial interface sub-configuration and loopback interface.

4: highly recommended to remove the following command from each serial interface.

ip verify unicast reverse-path

5: if still doesn't work, reapply "crypt map rtp" command into all serail interfaces sub-configuration.

Jerry

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Fri, 08/31/2007 - 04:55

Hi

Try adding this to your config

crypto map rtp local-address loopback0

HTH

Jon

azmath.hk Fri, 08/31/2007 - 05:08

Jon,

I tried the above command, its accepting but not showing in the configuration...Also not able to ping from management subnet.

Any suggesttion or help?

azmath.hk Fri, 08/31/2007 - 05:33

Able to establish the tunnel but cant ping the router loopback from management station?

Please help me!!!!!!!!!!

azmath.hk Fri, 08/31/2007 - 05:47

Jon,

Thanks for your help.

Here is the management stations IP 65.210.126.240 ....

Correct Answer
jerrytozhang Fri, 08/31/2007 - 07:01

1: try to add the following command into your router.

multilink virtual-template 1

2: put "crypt map rtp" command into virtual-template 1 sub-configuation.

3: remove "crypt map rtp" command from all serial interface sub-configuration and loopback interface.

4: highly recommended to remove the following command from each serial interface.

ip verify unicast reverse-path

5: if still doesn't work, reapply "crypt map rtp" command into all serail interfaces sub-configuration.

Jerry

azmath.hk Fri, 08/31/2007 - 07:07

Jerry,

I tried applying the crypto map rtp into virtual-template 1 but did not work out.

Please help me out...

azmath.hk Fri, 08/31/2007 - 07:21

because virtual-template 1 interface is IP unnumberred...on unnumberred interface u cant apply crypto map

jerrytozhang Fri, 08/31/2007 - 09:16

try apply the crypto map rtp into your loopback, please don't forget removing "ip verify unicast reverse-path"

azmath.hk Fri, 08/31/2007 - 09:29

Jerry,

I tried applying ctypto map rtp into loopback 0 interface but did not work..

I have noticed that virtual-template 1 is accepting crypto map rtp command but still did not work.

I have seen that virtual-access interface is getting IP from fastethernet 0 interface, i dont know why?

But as soon as i add this static route:-

ip route 0.0.0.0 0.0.0.0 loopback 0

I am able to ping from management station,but not able to ping inside device which was pingable before adding this route on router.

I am not able to understand why we are able to ping when we add the above default route and why not able to access the inside server from management?

valuable suggestion will be highly appreciated.

Regards,

khan

azmath.hk Mon, 09/03/2007 - 09:05

Jerry/all,

I configured everything bit as suggested by Jerry, but still not able to ping from management station.

I have noticed something stanged is that virtural-template 1 in showing down down when i type show ip int bri command.

Is there any way to bring this up and makes things work...

Any help at this point will be highly appreciated.

Regards,

Khan

azmath.hk Tue, 09/04/2007 - 03:26

Jerry,

Its working now after i rebooted the router...

Thanks you ver much..

Regards,

Khan

jerrytozhang Tue, 09/04/2007 - 07:25

Haha,,, finally, it works, it's great for me.

So, Can you kindly paste your final configuration there, other people can easily benefit from your configuration, and I don't need to answer this similar question anymore :).

Jerry

azmath.hk Tue, 09/04/2007 - 08:24

Jerry,

Sure, I will paste and rate your inputs.

Could you please tell me what exactly the following command does, because as soon as i removed this command everything started working fine so far.

ip verify unicast reverse-path

Regards,

Khan

jerrytozhang Tue, 09/04/2007 - 08:55

ip verify unicast reverse-path is a security feature, it's been Cisco IOS router and PIX firewall a long time.In a summary, this security feature just verify the packets the router receive on a port where respective retunning packets should be forwarded out

through. one port in and same port out!

go to see the URL below for more detail:

http://www.cisco.com/en/US/partner/products/ps6350/products_configuration_guide_chapter09186a00804fdef9.html#wp1000928

Thanks,

Jerry

Actions

This Discussion