07-10-2007 10:21 AM - edited 02-21-2020 01:36 AM
Hi Guys,
I need some little help. Im trying to establish a Site2Site VPN going to MCI Verizon. Problem is my WAN Interface that im going to peer is a subinterface of the FE0/1. And the Primary is giving as SRC on the IPSEC info. It should be the Subinterface of the FE0/1.
ex.
interface FastEthernet0/1
ip address 192.42.75.246 255.255.255.252 secondary
ip address 10.116.254.254 255.255.255.252
Router#sh crypto isakmp sa
dst src state conn-id slot status
115.x.x.238 10.116.254.254 MM_NO_STATE 0 0 ACTIVE
My question is, how can i change the IP of the Cisco is giving to send the subinterface IP and the the Primary IP as SRC address?
Or should i swap the designation of the IPs in the interface instead such as Im going to put 192.42.75.246 as Primary and the other as Secondary?
Thanks, let me know if im expressing it correctly.
07-10-2007 09:35 PM
Thats not techincally a subinterface configuration.
The below would be
interface FastEthernet0/1.12
encapsulation dot1Q 12
ip address 192.42.75.246 255.255.255.252
interface FastEthernet0/1.22
encapsulation dot1Q 22
ip address 10.116.254.254 255.255.255.252
07-13-2007 10:34 AM
hi nelpalad, Im having kind of the same issue. A single serial interface, with a private ip address configured as the primary and with the public IP configured as the secondary. When i do a sh crypto isa sa, it shows that the key exchange is being done using the primary private ip as de SRC, which is incorrect. I want the public IP to be the SRC. This is keeping the tunnel from coming up. I'm trying to bring up an IPSEC tunnel between a VPN 3000 and an IOS router (Cisco 1750).Please let me know if you get a reply or find out a possible workaround. My email is rapa_23@yahoo.es
Thanks
07-14-2007 03:59 PM
Nelson and Ricardo
I am not aware of any way to get the Cisco to use a secondary address as the source for IPSec negotiation. Is there a particular reason why you are configuring what would logically be the outside interface with secondary addressing, and making the public address secondary with a private address as primary?
If there is a reason for doing that I wonder if it would be a workable alternative to configure a loopback interface with an IP address in the subnet of the public address and to specify the loopback as the IPSec source address?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide