GRE/IPSec Tunnel using Loopback Interface as Source

Answered Question
Feb 21st, 2010

Hi All:

I need a to switch a currently working router to router VPN tunnel from using a WAN interface IP address to a loopback inteface IP as the source.  I am able to ping the loopback from the other router.  As soon as I change the tunnel source to use the loopback IP, change the crypto map ACL, and move the crypto map from the WAN interface to the loopback interface, the tunnel will not come up.  If I remove all the crypto config, the tunnel comes up fine as just an GRE tunnel.  On the other router, I see the below message which looks like it isn't encryption the traffic.

*Mar  1 00:10:33.515: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.0.1, src_addr= 192.168.1.2, prot= 47

What am I missing?  Is there anything else that needs to be done to use the loopback for a GRE/IPSec tunnel?

I've setup the below config in the lab to see if I can even get it working in a non-production enviroment.

R1 WAN IP: 192.168.0.1

R2 WAN IP: 192.168.0.2

R2 Loopback: 192.168.1.2

hostname R2

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key abc123 address 192.168.0.1

!

crypto ipsec transform-set T1 esp-3des esp-md5-hmac

mode transport

!

crypto map VPN 1 ipsec-isakmp

description Remote

set peer 192.168.0.1

set transform-set T1

match address VPN1

!

interface Loopback0

ip address 192.168.1.2 255.255.255.255

crypto map VPN

!

interface Tunnel1

ip address 172.30.240.2 255.255.255.252

ip mtu 1440

keepalive 10 3

tunnel source 192.168.1.2

tunnel destination 192.168.0.1

crypto map VPN

!

interface FastEthernet0

ip address 192.168.0.2 255.255.255.0

!

ip access-list extended VPN1

permit GRE host 192.168.1.2 host 192.168.0.1

I have this problem too.
0 votes
Correct Answer by francisco_1 about 6 years 11 months ago

have you tried adding "crypto map VPN 1 local-address Loopback0"

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
francisco_1 Sun, 02/21/2010 - 09:58

have you tried adding "crypto map VPN 1 local-address Loopback0"

francisco_1 Sun, 02/21/2010 - 09:59

Example

crypto dynamic-map dyna1 10

set transform-set 3des-sha

reverse-route

!

crypto map vpn1 local-address Loopback0

crypto map vpn1 100 ipsec-isakmp dynamic dyna1

!

interface (Interface you/re terminating crypto)

description INTERNET_FACING_INTERFACE

ip address

crypto map vpn1

Patrick Murphy Sun, 02/21/2010 - 13:14

Actually, this fixed it.   It was a combination of adding "crypto map VPN local-address Loopback0" and keeping the "crypto map VPN" on the WAN intefaces (not on the loopback).

Thanks for everybody's help!

Patrick

Patrick Murphy Sun, 02/21/2010 - 11:35

I tried your suggestion of adding "crypto map VPN local-address Loopback0".  However, it doesn't look like that fixed it.  

For the dyamic-map, I'm not sure I understand what that is trying to do.

Thanks for the help.

Leo Laohoo Sun, 02/21/2010 - 12:04

I'm seeing some inconsistency here.

R2 Loopback: 192.168.1.2
crypto isakmp key abc123 address 192.168.0.1
tunnel destination 192.168.0.1
and
permit GRE host 192.168.1.2 host 192.168.0.1

Should this be "crypto isakmp key abc123 address 192.168.1.2"?

Actions

This Discussion