Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1532
Views
0
Helpful
3
Replies

Site to Site VPN (Sub Interface issue)

nelpalad
Level 1
Level 1

‎07-10-2007 10:21 AM - edited ‎02-21-2020 01:36 AM

Hi Guys,

I need some little help. Im trying to establish a Site2Site VPN going to MCI Verizon. Problem is my WAN Interface that im going to peer is a subinterface of the FE0/1. And the Primary is giving as SRC on the IPSEC info. It should be the Subinterface of the FE0/1.

ex.

interface FastEthernet0/1

ip address 192.42.75.246 255.255.255.252 secondary

ip address 10.116.254.254 255.255.255.252

Router#sh crypto isakmp sa

dst src state conn-id slot status

115.x.x.238 10.116.254.254 MM_NO_STATE 0 0 ACTIVE

My question is, how can i change the IP of the Cisco is giving to send the subinterface IP and the the Primary IP as SRC address?

Or should i swap the designation of the IPs in the interface instead such as Im going to put 192.42.75.246 as Primary and the other as Secondary?

Thanks, let me know if im expressing it correctly.

0 Helpful
3 Replies 3

timkaye
Level 1
Level 1

‎07-10-2007 09:35 PM

Thats not techincally a subinterface configuration.

The below would be

interface FastEthernet0/1.12

encapsulation dot1Q 12

ip address 192.42.75.246 255.255.255.252

interface FastEthernet0/1.22

encapsulation dot1Q 22

ip address 10.116.254.254 255.255.255.252

0 Helpful

ricardo_perez
Level 1
Level 1

‎07-13-2007 10:34 AM

hi nelpalad, Im having kind of the same issue. A single serial interface, with a private ip address configured as the primary and with the public IP configured as the secondary. When i do a sh crypto isa sa, it shows that the key exchange is being done using the primary private ip as de SRC, which is incorrect. I want the public IP to be the SRC. This is keeping the tunnel from coming up. I'm trying to bring up an IPSEC tunnel between a VPN 3000 and an IOS router (Cisco 1750).Please let me know if you get a reply or find out a possible workaround. My email is rapa_23@yahoo.es

Thanks

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to ricardo_perez

‎07-14-2007 03:59 PM

Nelson and Ricardo

I am not aware of any way to get the Cisco to use a secondary address as the source for IPSec negotiation. Is there a particular reason why you are configuring what would logically be the outside interface with secondary addressing, and making the public address secondary with a private address as primary?

If there is a reason for doing that I wonder if it would be a workable alternative to configure a loopback interface with an IP address in the subnet of the public address and to specify the loopback as the IPSec source address?

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card