GRE/IPSec Tunnel using Loopback Interface as Source

Answered Question
Feb 21st, 2010

Hi All:

I need a to switch a currently working router to router VPN tunnel from using a WAN interface IP address to a loopback inteface IP as the source.  I am able to ping the loopback from the other router.  As soon as I change the tunnel source to use the loopback IP, change the crypto map ACL, and move the crypto map from the WAN interface to the loopback interface, the tunnel will not come up.  If I remove all the crypto config, the tunnel comes up fine as just an GRE tunnel.  On the other router, I see the below message which looks like it isn't encryption the traffic.

*Mar  1 00:10:33.515: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /, src_addr=, prot= 47

What am I missing?  Is there anything else that needs to be done to use the loopback for a GRE/IPSec tunnel?

I've setup the below config in the lab to see if I can even get it working in a non-production enviroment.



R2 Loopback:

hostname R2


crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key abc123 address


crypto ipsec transform-set T1 esp-3des esp-md5-hmac

mode transport


crypto map VPN 1 ipsec-isakmp

description Remote

set peer

set transform-set T1

match address VPN1


interface Loopback0

ip address

crypto map VPN


interface Tunnel1

ip address

ip mtu 1440

keepalive 10 3

tunnel source

tunnel destination

crypto map VPN


interface FastEthernet0

ip address


ip access-list extended VPN1

permit GRE host host

I have this problem too.
0 votes
Correct Answer by francisco_1 about 6 years 11 months ago

have you tried adding "crypto map VPN 1 local-address Loopback0"

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Correct Answer
francisco_1 Sun, 02/21/2010 - 09:58

have you tried adding "crypto map VPN 1 local-address Loopback0"

francisco_1 Sun, 02/21/2010 - 09:59


crypto dynamic-map dyna1 10

set transform-set 3des-sha



crypto map vpn1 local-address Loopback0

crypto map vpn1 100 ipsec-isakmp dynamic dyna1


interface (Interface you/re terminating crypto)


ip address

crypto map vpn1

Patrick Murphy Sun, 02/21/2010 - 13:14

Actually, this fixed it.   It was a combination of adding "crypto map VPN local-address Loopback0" and keeping the "crypto map VPN" on the WAN intefaces (not on the loopback).

Thanks for everybody's help!


Patrick Murphy Sun, 02/21/2010 - 11:35

I tried your suggestion of adding "crypto map VPN local-address Loopback0".  However, it doesn't look like that fixed it.  

For the dyamic-map, I'm not sure I understand what that is trying to do.

Thanks for the help.

Leo Laohoo Sun, 02/21/2010 - 12:04

I'm seeing some inconsistency here.

R2 Loopback:
crypto isakmp key abc123 address
tunnel destination
permit GRE host host

Should this be "crypto isakmp key abc123 address"?


This Discussion