Solved: crypto applied on Loopback interface

azmath.hk · ‎08-31-2007

Hi,

The following is the config from one of our 2811 router, we applied crypto on loopback interface but its not working. Can you review the cofig and let us know the suggesstion as where else we can apply crypto MAP to VPN to work.

site#sh run

Building configuration...

Current configuration : 5956 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Site

!

boot-start-marker

boot-end-marker

!

enable secret cisco

!

no aaa new-model

!

resource policy

!

memory-size iomem 25

clock timezone EST -5

clock summer-time EDT recurring

no network-clock-participate wic 2

no network-clock-participate wic 3

ip subnet-zero

!

ip cef

no ip dhcp use vrf connected

!

controller T1 0/2/0

framing esf

linecode b8zs

cablelength short 133

channel-group 0 timeslots 1-24

!

controller T1 0/2/1

framing esf

linecode b8zs

cablelength short 133

channel-group 0 timeslots 1-24

!

controller T1 0/3/0

framing esf

linecode b8zs

cablelength short 133

channel-group 0 timeslots 1-24

!

controller T1 0/3/1

framing esf

linecode b8zs

cablelength short 133

channel-group 0 timeslots 1-24

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key wsld0829 address 66.78.246.175

!

crypto ipsec transform-set rtpset esp-3des esp-md5-hmac

!

crypto map rtp 10 ipsec-isakmp

set peer 66.78.246.175

set transform-set rtpset

match address 110

!

interface Loopback0

description **** IP Address of Multilink Serial Lines ****

ip address 168.88.110.200 255.255.255.252

crypto map rtp

!

interface Serial0/0/0

description **** To Sprint HCGS/987682//LB ****

no ip address

encapsulation ppp

no fair-queue

pulse-time 1

ppp multilink

crypto map rtp

!

interface Serial0/1/0

description **** To Sprint HCGS/987683//LB ****

no ip address

ip verify unicast reverse-path

no ip redirects

no ip unreachables

encapsulation ppp

no fair-queue

pulse-time 1

ppp multilink

!

interface Serial0/2/0:0

no ip address

ip verify unicast reverse-path

no ip redirects

no ip unreachables

encapsulation ppp

no fair-queue

pulse-time 1

ppp multilink

crypto map rtp

!

interface Serial0/2/1:0

no ip address

ip verify unicast reverse-path

no ip redirects

no ip unreachables

encapsulation ppp

no fair-queue

pulse-time 1

ppp multilink

crypto map rtp

!

interface Serial0/3/0:0

no ip address

ip verify unicast reverse-path

no ip redirects

no ip unreachables

encapsulation ppp

shutdown

no fair-queue

pulse-time 1

ppp multilink

!

interface Serial0/3/1:0

no ip address

ip verify unicast reverse-path

no ip redirects

no ip unreachables

encapsulation ppp

shutdown

no fair-queue

pulse-time 1

ppp multilink

!

interface Virtual-Template1

ip unnumbered Loopback0

ppp multilink

!

ip classless

ip route 0.0.0.0 0.0.0.0 160.81.110.209

ip route 200.3.201.0 255.255.255.0 207.40.33.100

ip route 203.13.189.0 255.255.255.0 207.40.33.100

!

ip http server

no ip http secure-server

!

access-list 110 remark Tunnel ACL

access-list 110 remark Allowing router loopback

access-list 110 permit ip host 168.88.110.200 67.210.111.204 0.0.0.15

access-list 110 remark Allowing IP3

access-list 110 permit ip host 207.41.32.106 65.210.126.240 0.0.0.15

access-list 110 remark Allowing devices

access-list 110 permit ip 208.3.187.0 0.0.0.15 65.210.126.240 0.0.0.15

access-list 110 permit ip 208.3.187.16 0.0.0.7 65.210.126.240 0.0.0.15

access-list 110 permit ip 208.3.187.24 0.0.0.1 65.210.126.240 0.0.0.15

dialer-list 1 protocol ip permit

!

control-plane

!

line con 0

line aux 0

line vty 0 4

password cisco

login local

!

end

Your suggestion will be highly appreciated.

Regards,

khan

jerrytozhang · ‎08-31-2007

1: try to add the following command into your router.

multilink virtual-template 1

2: put "crypt map rtp" command into virtual-template 1 sub-configuation.

3: remove "crypt map rtp" command from all serial interface sub-configuration and loopback interface.

4: highly recommended to remove the following command from each serial interface.

ip verify unicast reverse-path

5: if still doesn't work, reapply "crypt map rtp" command into all serail interfaces sub-configuration.

Jerry

View solution in original post

azmath.hk · ‎08-31-2007

Please help me out.

Jon Marshall · ‎08-31-2007

Hi

Try adding this to your config

crypto map rtp local-address loopback0

HTH

Jon

azmath.hk · ‎08-31-2007

Jon,

I tried the above command, its accepting but not showing in the configuration...Also not able to ping from management subnet.

Any suggesttion or help?

azmath.hk · ‎08-31-2007

Able to establish the tunnel but cant ping the router loopback from management station?

Please help me!!!!!!!!!!

Jon Marshall · ‎08-31-2007

what is the management station IP address ?

azmath.hk · ‎08-31-2007

Jon,

Thanks for your help.

Here is the management stations IP 65.210.126.240 ....

jerrytozhang · ‎08-31-2007

1: try to add the following command into your router.

multilink virtual-template 1

2: put "crypt map rtp" command into virtual-template 1 sub-configuation.

3: remove "crypt map rtp" command from all serial interface sub-configuration and loopback interface.

4: highly recommended to remove the following command from each serial interface.

ip verify unicast reverse-path

5: if still doesn't work, reapply "crypt map rtp" command into all serail interfaces sub-configuration.

Jerry

azmath.hk · ‎08-31-2007

Jerry,

I tried applying the crypto map rtp into virtual-template 1 but did not work out.

Please help me out...

azmath.hk · ‎08-31-2007

because virtual-template 1 interface is IP unnumberred...on unnumberred interface u cant apply crypto map

jerrytozhang · ‎08-31-2007

try apply the crypto map rtp into your loopback, please don't forget removing "ip verify unicast reverse-path"

azmath.hk · ‎08-31-2007

Jerry,

I tried applying ctypto map rtp into loopback 0 interface but did not work..

I have noticed that virtual-template 1 is accepting crypto map rtp command but still did not work.

I have seen that virtual-access interface is getting IP from fastethernet 0 interface, i dont know why?

But as soon as i add this static route:-

ip route 0.0.0.0 0.0.0.0 loopback 0

I am able to ping from management station,but not able to ping inside device which was pingable before adding this route on router.

I am not able to understand why we are able to ping when we add the above default route and why not able to access the inside server from management?

valuable suggestion will be highly appreciated.

Regards,

khan

azmath.hk · ‎09-03-2007

Any updates?

azmath.hk · ‎09-03-2007

Jerry/all,

I configured everything bit as suggested by Jerry, but still not able to ping from management station.

I have noticed something stanged is that virtural-template 1 in showing down down when i type show ip int bri command.

Is there any way to bring this up and makes things work...

Any help at this point will be highly appreciated.

Regards,

Khan

azmath.hk · ‎09-03-2007

Guys, Please help me out from this problem.