Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Site to Site VPN (Sub Interface issue)

Hi Guys,

I need some little help. Im trying to establish a Site2Site VPN going to MCI Verizon. Problem is my WAN Interface that im going to peer is a subinterface of the FE0/1. And the Primary is giving as SRC on the IPSEC info. It should be the Subinterface of the FE0/1.


interface FastEthernet0/1

ip address secondary

ip address

Router#sh crypto isakmp sa

dst src state conn-id slot status

115.x.x.238 MM_NO_STATE 0 0 ACTIVE

My question is, how can i change the IP of the Cisco is giving to send the subinterface IP and the the Primary IP as SRC address?

Or should i swap the designation of the IPs in the interface instead such as Im going to put as Primary and the other as Secondary?

Thanks, let me know if im expressing it correctly.

Community Member

Re: Site to Site VPN (Sub Interface issue)

Thats not techincally a subinterface configuration.

The below would be

interface FastEthernet0/1.12

encapsulation dot1Q 12

ip address

interface FastEthernet0/1.22

encapsulation dot1Q 22

ip address

Community Member

Re: Site to Site VPN (Sub Interface issue)

hi nelpalad, Im having kind of the same issue. A single serial interface, with a private ip address configured as the primary and with the public IP configured as the secondary. When i do a sh crypto isa sa, it shows that the key exchange is being done using the primary private ip as de SRC, which is incorrect. I want the public IP to be the SRC. This is keeping the tunnel from coming up. I'm trying to bring up an IPSEC tunnel between a VPN 3000 and an IOS router (Cisco 1750).Please let me know if you get a reply or find out a possible workaround. My email is


Hall of Fame Super Gold

Re: Site to Site VPN (Sub Interface issue)

Nelson and Ricardo

I am not aware of any way to get the Cisco to use a secondary address as the source for IPSec negotiation. Is there a particular reason why you are configuring what would logically be the outside interface with secondary addressing, and making the public address secondary with a private address as primary?

If there is a reason for doing that I wonder if it would be a workable alternative to configure a loopback interface with an IP address in the subnet of the public address and to specify the loopback as the IPSec source address?



CreatePlease to create content