cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19619
Views
0
Helpful
5
Replies

GRE/IPSec Tunnel using Loopback Interface as Source

Patrick Murphy
Level 1
Level 1

Hi All:

I need a to switch a currently working router to router VPN tunnel from using a WAN interface IP address to a loopback inteface IP as the source.  I am able to ping the loopback from the other router.  As soon as I change the tunnel source to use the loopback IP, change the crypto map ACL, and move the crypto map from the WAN interface to the loopback interface, the tunnel will not come up.  If I remove all the crypto config, the tunnel comes up fine as just an GRE tunnel.  On the other router, I see the below message which looks like it isn't encryption the traffic.

*Mar  1 00:10:33.515: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.0.1, src_addr= 192.168.1.2, prot= 47

What am I missing?  Is there anything else that needs to be done to use the loopback for a GRE/IPSec tunnel?

I've setup the below config in the lab to see if I can even get it working in a non-production enviroment.

R1 WAN IP: 192.168.0.1

R2 WAN IP: 192.168.0.2

R2 Loopback: 192.168.1.2

hostname R2

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key abc123 address 192.168.0.1

!

crypto ipsec transform-set T1 esp-3des esp-md5-hmac

mode transport

!

crypto map VPN 1 ipsec-isakmp

description Remote

set peer 192.168.0.1

set transform-set T1

match address VPN1

!

interface Loopback0

ip address 192.168.1.2 255.255.255.255

crypto map VPN

!

interface Tunnel1

ip address 172.30.240.2 255.255.255.252

ip mtu 1440

keepalive 10 3

tunnel source 192.168.1.2

tunnel destination 192.168.0.1

crypto map VPN

!

interface FastEthernet0

ip address 192.168.0.2 255.255.255.0

!

ip access-list extended VPN1

permit GRE host 192.168.1.2 host 192.168.0.1

1 Accepted Solution

Accepted Solutions

francisco_1
Level 7
Level 7

have you tried adding "crypto map VPN 1 local-address Loopback0"

View solution in original post

5 Replies 5

francisco_1
Level 7
Level 7

have you tried adding "crypto map VPN 1 local-address Loopback0"

Example

crypto dynamic-map dyna1 10

set transform-set 3des-sha

reverse-route

!

crypto map vpn1 local-address Loopback0

crypto map vpn1 100 ipsec-isakmp dynamic dyna1

!

interface (Interface you/re terminating crypto)

description INTERNET_FACING_INTERFACE

ip address

crypto map vpn1

Actually, this fixed it.   It was a combination of adding "crypto map VPN local-address Loopback0" and keeping the "crypto map VPN" on the WAN intefaces (not on the loopback).

Thanks for everybody's help!

Patrick

Patrick Murphy
Level 1
Level 1

I tried your suggestion of adding "crypto map VPN local-address Loopback0".  However, it doesn't look like that fixed it.  

For the dyamic-map, I'm not sure I understand what that is trying to do.

Thanks for the help.

Leo Laohoo
Hall of Fame
Hall of Fame

I'm seeing some inconsistency here.

R2 Loopback: 192.168.1.2
crypto isakmp key abc123 address 192.168.0.1
tunnel destination 192.168.0.1
and
permit GRE host 192.168.1.2 host 192.168.0.1

Should this be "crypto isakmp key abc123 address 192.168.1.2"?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: