crypto applied on Loopback interface

Answered Question
Aug 31st, 2007
User Badges:

Hi,


The following is the config from one of our 2811 router, we applied crypto on loopback interface but its not working. Can you review the cofig and let us know the suggesstion as where else we can apply crypto MAP to VPN to work.


site#sh run

Building configuration...


Current configuration : 5956 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Site

!

boot-start-marker

boot-end-marker

!

enable secret cisco

!

no aaa new-model

!

resource policy

!

memory-size iomem 25

clock timezone EST -5

clock summer-time EDT recurring

no network-clock-participate wic 2

no network-clock-participate wic 3

ip subnet-zero

!

!

ip cef

no ip dhcp use vrf connected

!

controller T1 0/2/0

framing esf

linecode b8zs

cablelength short 133

channel-group 0 timeslots 1-24

!

controller T1 0/2/1

framing esf

linecode b8zs

cablelength short 133

channel-group 0 timeslots 1-24

!

controller T1 0/3/0

framing esf

linecode b8zs

cablelength short 133

channel-group 0 timeslots 1-24

!

controller T1 0/3/1

framing esf

linecode b8zs

cablelength short 133

channel-group 0 timeslots 1-24

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key wsld0829 address 66.78.246.175

!

!

crypto ipsec transform-set rtpset esp-3des esp-md5-hmac

!

crypto map rtp 10 ipsec-isakmp

set peer 66.78.246.175

set transform-set rtpset

match address 110

!

!

!

interface Loopback0

description **** IP Address of Multilink Serial Lines ****

ip address 168.88.110.200 255.255.255.252

crypto map rtp

!

interface Serial0/0/0

description **** To Sprint HCGS/987682//LB ****

no ip address

encapsulation ppp

no fair-queue

pulse-time 1

ppp multilink

crypto map rtp

!

interface Serial0/1/0

description **** To Sprint HCGS/987683//LB ****

no ip address

ip verify unicast reverse-path

no ip redirects

no ip unreachables

encapsulation ppp

no fair-queue

pulse-time 1

ppp multilink

!

interface Serial0/2/0:0

no ip address

ip verify unicast reverse-path

no ip redirects

no ip unreachables

encapsulation ppp

no fair-queue

pulse-time 1

ppp multilink

crypto map rtp

!

interface Serial0/2/1:0

no ip address

ip verify unicast reverse-path

no ip redirects

no ip unreachables

encapsulation ppp

no fair-queue

pulse-time 1

ppp multilink

crypto map rtp

!

interface Serial0/3/0:0

no ip address

ip verify unicast reverse-path

no ip redirects

no ip unreachables

encapsulation ppp

shutdown

no fair-queue

pulse-time 1

ppp multilink

!

interface Serial0/3/1:0

no ip address

ip verify unicast reverse-path

no ip redirects

no ip unreachables

encapsulation ppp

shutdown

no fair-queue

pulse-time 1

ppp multilink

!

interface Virtual-Template1

ip unnumbered Loopback0

ppp multilink

!

ip classless

ip route 0.0.0.0 0.0.0.0 160.81.110.209

ip route 200.3.201.0 255.255.255.0 207.40.33.100

ip route 203.13.189.0 255.255.255.0 207.40.33.100

!

ip http server

no ip http secure-server

!

access-list 110 remark Tunnel ACL

access-list 110 remark Allowing router loopback

access-list 110 permit ip host 168.88.110.200 67.210.111.204 0.0.0.15

access-list 110 remark Allowing IP3

access-list 110 permit ip host 207.41.32.106 65.210.126.240 0.0.0.15

access-list 110 remark Allowing devices

access-list 110 permit ip 208.3.187.0 0.0.0.15 65.210.126.240 0.0.0.15

access-list 110 permit ip 208.3.187.16 0.0.0.7 65.210.126.240 0.0.0.15

access-list 110 permit ip 208.3.187.24 0.0.0.1 65.210.126.240 0.0.0.15

dialer-list 1 protocol ip permit

!

!

control-plane

!


!

line con 0

line aux 0

line vty 0 4

password cisco

login local

!

end






Your suggestion will be highly appreciated.



Regards,

khan

Correct Answer by jerrytozhang about 9 years 10 months ago

1: try to add the following command into your router.


multilink virtual-template 1


2: put "crypt map rtp" command into virtual-template 1 sub-configuation.


3: remove "crypt map rtp" command from all serial interface sub-configuration and loopback interface.


4: highly recommended to remove the following command from each serial interface.


ip verify unicast reverse-path


5: if still doesn't work, reapply "crypt map rtp" command into all serail interfaces sub-configuration.


Jerry

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Fri, 08/31/2007 - 04:55
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Try adding this to your config


crypto map rtp local-address loopback0


HTH


Jon

azmath.hk Fri, 08/31/2007 - 05:08
User Badges:

Jon,


I tried the above command, its accepting but not showing in the configuration...Also not able to ping from management subnet.


Any suggesttion or help?

azmath.hk Fri, 08/31/2007 - 05:33
User Badges:

Able to establish the tunnel but cant ping the router loopback from management station?


Please help me!!!!!!!!!!

Jon Marshall Fri, 08/31/2007 - 05:36
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

what is the management station IP address ?


azmath.hk Fri, 08/31/2007 - 05:47
User Badges:

Jon,

Thanks for your help.


Here is the management stations IP 65.210.126.240 ....



Correct Answer
jerrytozhang Fri, 08/31/2007 - 07:01
User Badges:

1: try to add the following command into your router.


multilink virtual-template 1


2: put "crypt map rtp" command into virtual-template 1 sub-configuation.


3: remove "crypt map rtp" command from all serial interface sub-configuration and loopback interface.


4: highly recommended to remove the following command from each serial interface.


ip verify unicast reverse-path


5: if still doesn't work, reapply "crypt map rtp" command into all serail interfaces sub-configuration.


Jerry

azmath.hk Fri, 08/31/2007 - 07:07
User Badges:

Jerry,


I tried applying the crypto map rtp into virtual-template 1 but did not work out.


Please help me out...



azmath.hk Fri, 08/31/2007 - 07:21
User Badges:

because virtual-template 1 interface is IP unnumberred...on unnumberred interface u cant apply crypto map

jerrytozhang Fri, 08/31/2007 - 09:16
User Badges:

try apply the crypto map rtp into your loopback, please don't forget removing "ip verify unicast reverse-path"

azmath.hk Fri, 08/31/2007 - 09:29
User Badges:

Jerry,


I tried applying ctypto map rtp into loopback 0 interface but did not work..


I have noticed that virtual-template 1 is accepting crypto map rtp command but still did not work.


I have seen that virtual-access interface is getting IP from fastethernet 0 interface, i dont know why?


But as soon as i add this static route:-


ip route 0.0.0.0 0.0.0.0 loopback 0


I am able to ping from management station,but not able to ping inside device which was pingable before adding this route on router.


I am not able to understand why we are able to ping when we add the above default route and why not able to access the inside server from management?


valuable suggestion will be highly appreciated.


Regards,

khan

azmath.hk Mon, 09/03/2007 - 09:05
User Badges:

Jerry/all,


I configured everything bit as suggested by Jerry, but still not able to ping from management station.


I have noticed something stanged is that virtural-template 1 in showing down down when i type show ip int bri command.


Is there any way to bring this up and makes things work...


Any help at this point will be highly appreciated.


Regards,

Khan

azmath.hk Tue, 09/04/2007 - 03:26
User Badges:

Jerry,


Its working now after i rebooted the router...


Thanks you ver much..


Regards,

Khan

jerrytozhang Tue, 09/04/2007 - 07:25
User Badges:

Haha,,, finally, it works, it's great for me.


So, Can you kindly paste your final configuration there, other people can easily benefit from your configuration, and I don't need to answer this similar question anymore :).


Jerry

azmath.hk Tue, 09/04/2007 - 08:24
User Badges:

Jerry,


Sure, I will paste and rate your inputs.


Could you please tell me what exactly the following command does, because as soon as i removed this command everything started working fine so far.


ip verify unicast reverse-path


Regards,

Khan

jerrytozhang Tue, 09/04/2007 - 08:55
User Badges:

ip verify unicast reverse-path is a security feature, it's been Cisco IOS router and PIX firewall a long time.In a summary, this security feature just verify the packets the router receive on a port where respective retunning packets should be forwarded out

through. one port in and same port out!


go to see the URL below for more detail:

http://www.cisco.com/en/US/partner/products/ps6350/products_configuration_guide_chapter09186a00804fdef9.html#wp1000928


Thanks,


Jerry



Actions

This Discussion