02-21-2010 09:12 AM - edited 02-21-2020 04:30 PM
Hi All:
I need a to switch a currently working router to router VPN tunnel from using a WAN interface IP address to a loopback inteface IP as the source. I am able to ping the loopback from the other router. As soon as I change the tunnel source to use the loopback IP, change the crypto map ACL, and move the crypto map from the WAN interface to the loopback interface, the tunnel will not come up. If I remove all the crypto config, the tunnel comes up fine as just an GRE tunnel. On the other router, I see the below message which looks like it isn't encryption the traffic.
*Mar 1 00:10:33.515: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.0.1, src_addr= 192.168.1.2, prot= 47
What am I missing? Is there anything else that needs to be done to use the loopback for a GRE/IPSec tunnel?
I've setup the below config in the lab to see if I can even get it working in a non-production enviroment.
R1 WAN IP: 192.168.0.1
R2 WAN IP: 192.168.0.2
R2 Loopback: 192.168.1.2
hostname R2
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key abc123 address 192.168.0.1
!
crypto ipsec transform-set T1 esp-3des esp-md5-hmac
mode transport
!
crypto map VPN 1 ipsec-isakmp
description Remote
set peer 192.168.0.1
set transform-set T1
match address VPN1
!
interface Loopback0
ip address 192.168.1.2 255.255.255.255
crypto map VPN
!
interface Tunnel1
ip address 172.30.240.2 255.255.255.252
ip mtu 1440
keepalive 10 3
tunnel source 192.168.1.2
tunnel destination 192.168.0.1
crypto map VPN
!
interface FastEthernet0
ip address 192.168.0.2 255.255.255.0
!
ip access-list extended VPN1
permit GRE host 192.168.1.2 host 192.168.0.1
Solved! Go to Solution.
02-21-2010 09:58 AM
have you tried adding "crypto map VPN 1 local-address Loopback0"
02-21-2010 09:58 AM
have you tried adding "crypto map VPN 1 local-address Loopback0"
02-21-2010 09:59 AM
Example
crypto dynamic-map dyna1 10
set transform-set 3des-sha
reverse-route
!
crypto map vpn1 local-address Loopback0
crypto map vpn1 100 ipsec-isakmp dynamic dyna1
!
interface (Interface you/re terminating crypto)
description INTERNET_FACING_INTERFACE
ip address
crypto map vpn1
02-21-2010 01:14 PM
Actually, this fixed it. It was a combination of adding "crypto map VPN local-address Loopback0" and keeping the "crypto map VPN" on the WAN intefaces (not on the loopback).
Thanks for everybody's help!
Patrick
02-21-2010 11:35 AM
I tried your suggestion of adding "crypto map VPN local-address Loopback0". However, it doesn't look like that fixed it.
For the dyamic-map, I'm not sure I understand what that is trying to do.
Thanks for the help.
02-21-2010 12:04 PM
I'm seeing some inconsistency here.
R2 Loopback: 192.168.1.2
crypto isakmp key abc123 address 192.168.0.1
tunnel destination 192.168.0.1
and
permit GRE host 192.168.1.2 host 192.168.0.1
Should this be "crypto isakmp key abc123 address 192.168.1.2"?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: