IPSec (crypto map) on loopback ??

Unanswered Question
May 7th, 2010
User Badges:

Hi,


Can we have multiple crypto map on cisco routers using loopback addresses? We need this implementation  because we have redundant paths andwant to split subnets by using separate cryto map for each subnets and PSEC to be always up even if one of the link fails.


Thanks.

Akhilesh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Federico Coto F... Fri, 05/07/2010 - 12:33
User Badges:
  • Green, 3000 points or more

Hi,


I've never done it, but I think that you should be able to do it as long as the loopback has a routable IP and is accesible from the VPN peers.

The restriction is that you cannot have multiple crypto maps applied to a single interface.


Federico.

akpandey79 Fri, 05/07/2010 - 13:05
User Badges:

Hi Federico,


I tried to simulate same on Cisco 3845 router by creating loopback interface and applied one  crypto map to one of physical interface (connected to outside) IPSec works fine.


When i tried to apply crypto map on  loopback interface tunnel is  getting established (checked by -show crypto isakmp sa command) but no traffic is moving via tunnel (show crypto ipsec sa) and i tried to route traffic via loopback interface by configuring default root also.


So can you suggest if some other commands are required.


Thanks.

Akhilesh.

francisco_1 Wed, 05/12/2010 - 09:35
User Badges:
  • Gold, 750 points or more

My understanding the loopback is used by the crypto map for the router to identity itself to ipsec peers and used for SA (used as the local address for IPSEC (and IKE) traffic originating from or destined to the interface)  not for routing traffic!! The interfaces the crypto map is applied should take care of that!.



Francisco

mitra dray Thu, 06/26/2014 - 04:16
User Badges:

I think specifically i had some restrictions when i tried to perform that with an ASR and ended having the crypto on the egress interfaces .

what i did was using two routers where the tunnels were in a vrf rib .

i needed to add a vrf static route for the destination networks through the global ip next hop . 

 

thats what suited my needs .

 

AZaburdyayev Wed, 05/12/2010 - 00:27
User Badges:

Sorry for interupting, but Akhilesh can you show working config ? I trying to do same thing, create Access VPN on loopback interface. If I apply crypto map on loopback VPN established but data do not flow, if I apply crypto map on outside interface, VPN is not established.

Federico Coto F... Wed, 05/12/2010 - 08:38
User Badges:
  • Green, 3000 points or more

Yes,

As suggested please post the configuration because if you terminate the VPN on a loopback, in order for traffic to flow through the tunnel, the traffic should flow between the outside and inside interfaces (but going through the loopback as well).


Federico.

Federico Coto F... Wed, 05/12/2010 - 11:28
User Badges:
  • Green, 3000 points or more

Francisco,


Agree 100%

What I'm saying is that if the loopback interface is configured incorrectly, the traffic might not be passing through.

The loopback does not route any traffic (we are clear), but the loopback has its own configuration that might affect the traffic.


Anyway, the intention is to check the configuration for any possible problem.


Federico.

francisco_1 Thu, 05/13/2010 - 04:40
User Badges:
  • Gold, 750 points or more

Hey Federico,


yes you are right if the loopback interface is configured incorrectly, then the traffic might not be passing through properly...


Francisco.

hi,


i'm having the same issue but with me, if a move the crypto map to the fa interface which is set to dhcp cos this is a lab, the tunnel establishes and i can ping across to the fa0/1, lo0 interface.


attached is the config to the lo interface, the tunnels establishes but no traffic goes over.


please help

not sure why it zipped the file,


hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 4096
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 15
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
no ipv6 cef
!        
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
username cisco privilege 15 password 0 cisco
!
redundancy
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient
key cisco123
dns 10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippool
acl 100
crypto isakmp profile ISAKMP_PROFILE_EZVPN
   vrf global
   match identity group vpnclient
   client authentication list userauthen
   isakmp authorization list groupauthor
   client configuration address respond
   client configuration group vpnclient
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto ipsec profile IPSEC_PROFILE_EZVPN
set transform-set myset
set isakmp-profile ISAKMP_PROFILE_EZVPN
!
!
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile ISAKMP_PROFILE_EZVPN
reverse-route
!
!
crypto map clientmap local-address Loopback0
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
interface Loopback0
ip address 192.168.4.22 255.255.255.255
crypto map clientmap
!
interface Loopback1
ip address 192.168.10.252 255.255.255.0
!
interface FastEthernet0/0
ip address dhcp
duplex full
speed auto
!
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE_EZVPN
!
ip local pool ippool 192.168.1.1 192.168.1.254
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
logging esm config
access-list 100 permit ip any 192.168.10.0 0.0.0.255
access-list 100 permit ip any 10.10.10.0 0.0.0.255
!
!
!
!
route-map test permit 10
set ip next-hop 10.10.10.1 10.10.10.2
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
transport input all
!
scheduler allocate 20000 1000
end


the router is doing the auth also. And i am using the cisco vpn client to connect to the router.

mitra dray Mon, 03/18/2013 - 02:30
User Badges:

which was ?

can you please post the working config ?

you are lucky i still have this ... lol ...


here you go, oh and the VRF part also works.




Router#sh run

Building configuration...



Current configuration : 2978 bytes

!

! Last configuration change at 09:38:43 UTC Tue May 10 2011 by cisco

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

logging buffered 4096

!

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

!

!

!

!

aaa session-id common

!

memory-size iomem 15

!

dot11 syslog

ip source-route

!

!

ip cef

!

!

!

ip vrf VRF_EZVPN

rd 36968:2

route-target export 36968:2

route-target import 36968:2

!

no ipv6 cef

!        

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

!

!

voice-card 0

!

crypto pki token default removal timeout 0

!

!

!

!

username cisco privilege 15 password 0 cisco

!

redundancy

!

!

!

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpnclient

key cisco123

dns 10.10.10.10

wins 10.10.10.20

domain cisco.com

pool ippool

crypto isakmp profile ISAKMP_PROFILE_EZVPN

   vrf global

   match identity group vpnclient

   client authentication list userauthen

   isakmp authorization list groupauthor

   client configuration address respond

   client configuration group vpnclient

   virtual-template 1

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto ipsec profile IPSEC_PROFILE_EZVPN

set transform-set myset

set isakmp-profile ISAKMP_PROFILE_EZVPN

!

!

crypto dynamic-map dynmap 10

set transform-set myset

set isakmp-profile ISAKMP_PROFILE_EZVPN

reverse-route

!

!

crypto map clientmap local-address Loopback0

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

!

!

interface Loopback0

ip address 192.168.4.22 255.255.255.255

crypto map clientmap

!

interface Loopback1

ip address 192.168.10.252 255.255.255.0

!

interface Loopback3

ip address 1.1.1.1 255.255.255.255

!

interface FastEthernet0/0

ip address dhcp

duplex full

speed auto

!

interface FastEthernet0/1

ip address 10.10.10.1 255.255.255.0

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC_PROFILE_EZVPN

!

ip local pool ippool 192.168.1.1 192.168.1.254

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

!

logging esm config

access-list 100 permit ip any 192.168.10.0 0.0.0.255

access-list 100 permit ip any 10.10.10.0 0.0.0.255

!

!

!

!

route-map test permit 10

set ip next-hop 10.10.10.1 10.10.10.2

!

!

!

!

!

control-plane

!

!

!

!

mgcp profile default

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

transport input all

!

scheduler allocate 20000 1000

end

Javier Portuguez Mon, 03/18/2013 - 06:34
User Badges:
  • Red, 2250 points or more

Hi Mitra,


I can see that you already have an answer for what you asked, but just to add my two cents here:


A crypto map is not supported on a Loopback, if you would like to use it as your VPN endpoint, then check this option:


crypto map local-address


HTH.


Portu.

Petar Bajovic Thu, 06/26/2014 - 03:46
User Badges:

I just have issue with this kind of problem. Just to be sure: You are saying that Loopback interface can not support crypto map on it? There must be "crypto map" command on a physical interface? Am I right? Is this correct?

Thank you.

Petar

mitra dray Thu, 06/26/2014 - 04:15
User Badges:

I think specifically i had some restrictions when i tried to perform that with an ASR and ended having the crypto on the egress interfaces .

what i did was using two routers where the tunnels were in a vrf rib .

i needed to add a vrf static route for the destination networks through the global ip next hop . 

 

thats what suited my needs .

 

 

Petar Bajovic Thu, 06/26/2014 - 05:06
User Badges:

I did not get this. Could you explain it to me further. Or send some conf file, or copy your configuration here... That is the easiest way that I can think... 

Thank you.

Petar

mitra dray Thu, 06/26/2014 - 06:27
User Badges:

hope this would assist .
interface Loopback1
 description ### LOOPBACK IPSEC ###
 ip address 95.95.95.1 255.255.255.255

crypto keyring KEYS-HOSTING-SJ  
  local-address 95.95.95.1
  pre-shared-key address 63.63.63.1 key Re*kup#ha4Ha
  
crypto isakmp profile ISAKMP-HOSTING-SJ
   vrf VPN
   keyring KEYS-HOSTING-SJ
   match identity address 63.63.63.1 255.255.255.255 
   
crypto ipsec transform-set TRANS_SET-HOSTING-SJ esp-aes esp-sha-hmac 
 mode tunnel

 
  
crypto isakmp policy 9
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
!

crypto map VPN_GENERIC-S2S 20 ipsec-isakmp 
 description ### VPN S2S HOSTING-SJ ASA ###
 set peer 63.63.63.1
 set transform-set TRANS_SET-HOSTING-SJ 
 set pfs group2
 set isakmp-profile ISAKMP-HOSTING-SJ
 match address IPSEC-VPN-ACL_HOSTING-SJ
 
 
ip access-list extended IPSEC-VPN-ACL_HOSTING-SJ
 permit ip 10.23.0.0 0.0.255.255 10.10.2.0 0.0.0.255

 
ip route vrf VPN 10.10.2.0 255.255.255.0 208.208.208.202 track 102 name SLA102-VPN_TU_US-SJWC-PROXY-SUBNET-NH-GLOBAL-ISP-1
 
ip sla 102
 icmp-echo 63.63.63.1 source-ip 95.95.95.1
 tag VPN-TRACK-ROUTE102-TO-HOSTING-SJ
 threshold 3000
 frequency 5
ip sla schedule 102 life forever start-time now

ip sla reaction-configuration 102 react timeout threshold-type xOfy 2 5 action-type trapOnly

 
interface GigabitEthernet0/0/0
 description ##### ISP : CROSS CONNECT 1 TO ISP-1 ###
 ip address 208.208.208.201 255.255.255.252
 ip flow ingress
 load-interval 30
 negotiation auto
 crypto map VPN_GENERIC-S2S
 
 once the tracking fails , the other router has the route in its routing table and it takes its place .

 

Petar Bajovic Thu, 06/26/2014 - 07:04
User Badges:

It does not work for me, but I manage to find out why (based on your reply)... Crypto map has to be on physical interface... I tryed to put crypto map under loopback interface, but that does not work... I suspected that could be a problem, and your case convinced me...

Sincerely,

Petar

Actions

This Discussion