03-24-2009 04:23 AM - edited 02-21-2020 04:11 PM
Hello,
I'm trying to establish IPSec tunnel from router Cisco 7200 (IOS 12.4(5a)). Tunnel needs to end on my side in local vrf and peer address is loopback0 address (not the address of outgoing interface which has crypto-map configured on). Here is the config:
ip vrf VPN
rd 10:10
crypto keyring KEY1
pre-shared-key address 192.168.100.1 key 747a592ca7
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp profile PROFILE
vrf VPN
keyring KEY1
match identity address 192.168.100.1 255.255.255.255
local-address Loopback0
crypto ipsec transform-set Medium1 esp-3des esp-sha-hmac
crypto map vpn 100 ipsec-isakmp
set peer 192.168.100.1
set transform-set Medium1
set pfs group2
set isakmp-profile PROFILE1
match address 111
interface Loopback0
ip address 2.2.2.2 255.255.255.255
interface GigabitEthernet0/1
ip address 1.1.1.1 255.255.255.252
crypto map vpn
interface GigabitEthernet0/2
ip vrf forwarding VPN
ip address 10.10.10.1 255.255.255.0
ip route vrf VPN 0.0.0.0 0.0.0.0 1.1.1.2 global
access-list 111 permit ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255
Although I have in profile PROFILE1 local-address loopback 0(2.2.2.2), It is still used outgoing interface address 1.1.1.1(one that has crypto-map applied)
protected vrf: VPN
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
current_peer 192.168.100.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 55, #recv errors 0
local crypto endpt.: 1.1.1.1 remote crypto endpt.: 192.168.100.1
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
I even tried to put interface loopback 0 in vrf VPN with
interface Loopback0
ip vrf receive VPN
ip address 2.2.2.2 255.255.255.25
ip policy route-map IDLE
But It didn't help. Does anyone know what could be the problem?
Thanks,
A
03-24-2009 04:31 AM
in above config it should be
crypto map vpn 100 ipsec-isakmp
set isakmp-profile PROFILE
and not
crypto map vpn 100 ipsec-isakmp
set isakmp-profile PROFILE1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide