Site-to-Site using loopbacks

Unanswered Question
Feb 10th, 2009

I'm re-posting this, because it seems to have died out on answers. I've also attached my configs:

Please, I've been working on this for a few weeks now, and have had to learn everything pretty much on my own, because no one can seem to give me an answer and help me. No one has even replied to 3 different posts about this subject, so I'm trying it in here.

Here's the situation. I have 2 1760 routers with DSPs, FXO, & FXS cards. They both have the on-board Fa 0/0 interface. I'm tieing two key systems together via VoIP trunks with these routers. I've completed the VoIP programming and it is working as expected. I'm now trying to implement a site-to-site VPN tunnel for these two routers and the VoIP traffic to go through.

I'm not sure if it can be done with just the onboard fa 0/0 interface, and no real LAN behind it. These routers will be on an existing network, however, they will be obtaining(static) a 2nd WAN IP to connect to the outside world only for VoIP traffic between the two.

Please...I'm not Cisco genius and I need some help. I've got probably 20 docs on configuring VPN, but I need some help and questions answered. I'll send my config if anyone needs to look at it.




Regarding your VPN question, you do not necessarily need internal LANs. You could build the IPSEC for loopbacks and tie you H.323 addresses to them.

A lot really depends where you're headed. If certification, do not try to be inventive, stick to the program, pass the test and move on.

If real networking, that's another story, in fact you may not need a VPN at all to do voice over the Internet.



That's more along the lines of what i was thinking i was going to have to do...get a loopback int to act like internal, but i didn't know if i even needed that.

At that point with the loopbacks, their addresses i assign (which can be anything?), would become what i use for making the vpn access lists correct? I mean, I use the public IPs for the "peer" addresses, and on the access lists, I would want to use the loopback int addresses?

I wouldn't have to worry about anything for NAT with this configuration right, since I only have the voice traffic? If I do need NAT, the fa 0/0 would be nat oustide and the loopback would be ip nat inside?

How exactly are you saying to tie the h.323 addresses to the loopbacks?

Now we're getting somewhere.

Thank you soo much,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Thu, 02/12/2009 - 11:58


I have looked at the configs and have a couple of comments:

- I do not see any route statements or any routing protocol. How will this router know how to get to AAA.BBB.CCC.DDD?

- if the dial peer session target is AAA.BBB.CCC.DDD does that imply that the VOIP packets source address will be ABC.DEF.GHI.JKL?

- there is a problem with the access list you posted to identify traffic for the VPN which is

access-list 100 permit ip host

those addresses and masks make no sense to me. I would think that the source would be your LAN interface and the destination would be the dial peer address of the other router.




This Discussion