I need some little help. Im trying to establish a Site2Site VPN going to MCI Verizon. Problem is my WAN Interface that im going to peer is a subinterface of the FE0/1. And the Primary is giving as SRC on the IPSEC info. It should be the Subinterface of the FE0/1.
ip address 184.108.40.206 255.255.255.252 secondary
ip address 10.116.254.254 255.255.255.252
Router#sh crypto isakmp sa
dst src state conn-id slot status
115.x.x.238 10.116.254.254 MM_NO_STATE 0 0 ACTIVE
My question is, how can i change the IP of the Cisco is giving to send the subinterface IP and the the Primary IP as SRC address?
Or should i swap the designation of the IPs in the interface instead such as Im going to put 220.127.116.11 as Primary and the other as Secondary?
Thanks, let me know if im expressing it correctly.
hi nelpalad, Im having kind of the same issue. A single serial interface, with a private ip address configured as the primary and with the public IP configured as the secondary. When i do a sh crypto isa sa, it shows that the key exchange is being done using the primary private ip as de SRC, which is incorrect. I want the public IP to be the SRC. This is keeping the tunnel from coming up. I'm trying to bring up an IPSEC tunnel between a VPN 3000 and an IOS router (Cisco 1750).Please let me know if you get a reply or find out a possible workaround. My email is email@example.com
I am not aware of any way to get the Cisco to use a secondary address as the source for IPSec negotiation. Is there a particular reason why you are configuring what would logically be the outside interface with secondary addressing, and making the public address secondary with a private address as primary?
If there is a reason for doing that I wonder if it would be a workable alternative to configure a loopback interface with an IP address in the subnet of the public address and to specify the loopback as the IPSec source address?
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...