VPN terminated on Loopback IP

Unanswered Question
Oct 6th, 2008
User Badges:


Hi all,


I'm willing to configure a VPN client on my 2691 router [run IOS ver. 12.4(15)T7]. the network setup is quite simple, as following

ADSL router --> VPN router


I've configured a loopback 0 to terminate the VPN sessions but to no avail, for curiosity reason I've tried to terminate the VPN on the Fa0/0 and amazingly working fine.


crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration address-pool local dynpool

!

crypto isakmp client configuration group hasan-gr

key hasan-key

dns 10.0.0.2

wins 10.0.0.2

pool dynpool

!

!

crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 1

set transform-set transform-1

reverse-route

!

!

crypto map dynmap isakmp authorization list hasan-gr

crypto map dynmap client configuration address respond

crypto map dynmap 1 ipsec-isakmp dynamic dynmap

!

!

!

!

!

!

interface Loopback0

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

crypto map dynmap

!

interface FastEthernet0/0

ip address 10.0.0.60 255.255.255.0

ip nat outside

ip virtual-reassembly

speed 100

full-duplex


ip nat source static 192.168.1.1 10.0.0.131


ip local pool dynpool 192.168.74.200 192.168.74.220

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.0.0.2


any helpful comments will be higly appreciated..


Regards,



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
cisco24x7 Mon, 10/06/2008 - 05:48
User Badges:
  • Silver, 250 points or more

Your loopback 0 needs to be visible for this

to work.

Richard Burts Mon, 10/06/2008 - 07:38
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

For the VPN tunnel to work when terminated on the loopback it would also be necessary to configure the crypto map local-address command. By default the crypto will use the address of the outbound interface. So when terminating the VPN on the physical interface local-address is not needed. To use the loopback you need the configuration command to change the address used from the physical outbound interface to the loopback.


HTH


Rick

Actions

This Discussion