08-31-2007 03:15 AM
Hi,
The following is the config from one of our 2811 router, we applied crypto on loopback interface but its not working. Can you review the cofig and let us know the suggesstion as where else we can apply crypto MAP to VPN to work.
site#sh run
Building configuration...
Current configuration : 5956 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Site
!
boot-start-marker
boot-end-marker
!
enable secret cisco
!
no aaa new-model
!
resource policy
!
memory-size iomem 25
clock timezone EST -5
clock summer-time EDT recurring
no network-clock-participate wic 2
no network-clock-participate wic 3
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
!
controller T1 0/2/0
framing esf
linecode b8zs
cablelength short 133
channel-group 0 timeslots 1-24
!
controller T1 0/2/1
framing esf
linecode b8zs
cablelength short 133
channel-group 0 timeslots 1-24
!
controller T1 0/3/0
framing esf
linecode b8zs
cablelength short 133
channel-group 0 timeslots 1-24
!
controller T1 0/3/1
framing esf
linecode b8zs
cablelength short 133
channel-group 0 timeslots 1-24
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key wsld0829 address 66.78.246.175
!
!
crypto ipsec transform-set rtpset esp-3des esp-md5-hmac
!
crypto map rtp 10 ipsec-isakmp
set peer 66.78.246.175
set transform-set rtpset
match address 110
!
!
!
interface Loopback0
description **** IP Address of Multilink Serial Lines ****
ip address 168.88.110.200 255.255.255.252
crypto map rtp
!
interface Serial0/0/0
description **** To Sprint HCGS/987682//LB ****
no ip address
encapsulation ppp
no fair-queue
pulse-time 1
ppp multilink
crypto map rtp
!
interface Serial0/1/0
description **** To Sprint HCGS/987683//LB ****
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
encapsulation ppp
no fair-queue
pulse-time 1
ppp multilink
!
interface Serial0/2/0:0
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
encapsulation ppp
no fair-queue
pulse-time 1
ppp multilink
crypto map rtp
!
interface Serial0/2/1:0
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
encapsulation ppp
no fair-queue
pulse-time 1
ppp multilink
crypto map rtp
!
interface Serial0/3/0:0
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
encapsulation ppp
shutdown
no fair-queue
pulse-time 1
ppp multilink
!
interface Serial0/3/1:0
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
encapsulation ppp
shutdown
no fair-queue
pulse-time 1
ppp multilink
!
interface Virtual-Template1
ip unnumbered Loopback0
ppp multilink
!
ip classless
ip route 0.0.0.0 0.0.0.0 160.81.110.209
ip route 200.3.201.0 255.255.255.0 207.40.33.100
ip route 203.13.189.0 255.255.255.0 207.40.33.100
!
ip http server
no ip http secure-server
!
access-list 110 remark Tunnel ACL
access-list 110 remark Allowing router loopback
access-list 110 permit ip host 168.88.110.200 67.210.111.204 0.0.0.15
access-list 110 remark Allowing IP3
access-list 110 permit ip host 207.41.32.106 65.210.126.240 0.0.0.15
access-list 110 remark Allowing devices
access-list 110 permit ip 208.3.187.0 0.0.0.15 65.210.126.240 0.0.0.15
access-list 110 permit ip 208.3.187.16 0.0.0.7 65.210.126.240 0.0.0.15
access-list 110 permit ip 208.3.187.24 0.0.0.1 65.210.126.240 0.0.0.15
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login local
!
end
Your suggestion will be highly appreciated.
Regards,
khan
Solved! Go to Solution.
08-31-2007 07:01 AM
1: try to add the following command into your router.
multilink virtual-template 1
2: put "crypt map rtp" command into virtual-template 1 sub-configuation.
3: remove "crypt map rtp" command from all serial interface sub-configuration and loopback interface.
4: highly recommended to remove the following command from each serial interface.
ip verify unicast reverse-path
5: if still doesn't work, reapply "crypt map rtp" command into all serail interfaces sub-configuration.
Jerry
08-31-2007 04:22 AM
Please help me out.
08-31-2007 04:55 AM
Hi
Try adding this to your config
crypto map rtp local-address loopback0
HTH
Jon
08-31-2007 05:08 AM
Jon,
I tried the above command, its accepting but not showing in the configuration...Also not able to ping from management subnet.
Any suggesttion or help?
08-31-2007 05:33 AM
Able to establish the tunnel but cant ping the router loopback from management station?
Please help me!!!!!!!!!!
08-31-2007 05:36 AM
what is the management station IP address ?
08-31-2007 05:47 AM
Jon,
Thanks for your help.
Here is the management stations IP 65.210.126.240 ....
08-31-2007 07:01 AM
1: try to add the following command into your router.
multilink virtual-template 1
2: put "crypt map rtp" command into virtual-template 1 sub-configuation.
3: remove "crypt map rtp" command from all serial interface sub-configuration and loopback interface.
4: highly recommended to remove the following command from each serial interface.
ip verify unicast reverse-path
5: if still doesn't work, reapply "crypt map rtp" command into all serail interfaces sub-configuration.
Jerry
08-31-2007 07:07 AM
Jerry,
I tried applying the crypto map rtp into virtual-template 1 but did not work out.
Please help me out...
08-31-2007 07:21 AM
because virtual-template 1 interface is IP unnumberred...on unnumberred interface u cant apply crypto map
08-31-2007 09:16 AM
try apply the crypto map rtp into your loopback, please don't forget removing "ip verify unicast reverse-path"
08-31-2007 09:29 AM
Jerry,
I tried applying ctypto map rtp into loopback 0 interface but did not work..
I have noticed that virtual-template 1 is accepting crypto map rtp command but still did not work.
I have seen that virtual-access interface is getting IP from fastethernet 0 interface, i dont know why?
But as soon as i add this static route:-
ip route 0.0.0.0 0.0.0.0 loopback 0
I am able to ping from management station,but not able to ping inside device which was pingable before adding this route on router.
I am not able to understand why we are able to ping when we add the above default route and why not able to access the inside server from management?
valuable suggestion will be highly appreciated.
Regards,
khan
09-03-2007 05:39 AM
Any updates?
09-03-2007 09:05 AM
Jerry/all,
I configured everything bit as suggested by Jerry, but still not able to ping from management station.
I have noticed something stanged is that virtural-template 1 in showing down down when i type show ip int bri command.
Is there any way to bring this up and makes things work...
Any help at this point will be highly appreciated.
Regards,
Khan
09-03-2007 09:17 AM
Guys, Please help me out from this problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide