configuration for client vpn access on a loopback interface

Unanswered Question
Jul 7th, 2009
User Badges:

Hi all,

We tried to configure a router as server for a client VPN .

We applied the crypto map on a loopback interface.

we put "crypto map VpnConn local-address Loopback0".

We can connect using a cisco VPN client but we cannot ping the LAN, even the ip address of the LAN interface of the router configured as server.

How could we solve this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
harinirina Wed, 07/08/2009 - 05:38
User Badges:


Thanks for the doc.

it seems NAT-T is enabled by default in Cisco IOS.

We use a router cisco as VPN Server and we don't know what to add.

Here below our config so you could tell what's wrong and what's missing.

aaa new-model

aaa authentication login default local

aaa authorization exec default local

aaa authorization network Grp local

aaa authentication login Usr local

username uuuu privilege 15 password pppp

interface l0

crypto map IntVpn

interface FastEthernet0/0

ip address W.W.W.1

ip nat outside


interface FastEthernet0/1

description vers LAN

ip address R.R.R.1

ip nat inside

ip local pool poolVpn P.P.P.1 P.P.P.254

ip nat inside source list 100 interface FastEthernet0/0 overload

access-list 100 deny ip R.R.R.0 P.P.P.0

access-list 100 deny icmp R.R.R.0 P.P.P.0

access-list 100 permit ip R.R.R.0 any

crypto isakmp policy 5

hash md5

authentication pre-share

group 2

crypto isakmp client configuration group ClGrp

key kkkk

pool poolVpn

acl 199

crypto isakmp profile ClPrf

match identity group ClGrp

client authentication list Usr

isakmp authorization list Grp

client configuration address respond

crypto ipsec transform-set TrSet esp-aes esp-sha-hmac

crypto dynamic-map dynVpn 5

set transform-set TrSet

set isakmp-profile ClPrf



crypto map IntVpn 3 ipsec-isakmp dynamic dynVpn

access-list 199 permit ip R.R.R.0 P.P.P.0


This Discussion