Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Can VPN terminate on loopback?

If anyone can give me clue on how to do this I would be greatfull!

Simplified Scenerio: Multiple remote sites with WAN connectivity to main site need VPN encryption over WAN links. Remote sites have 7200VXR with VAM-SAM2+, Main site has 1 6500 with a  SPA-IPSEC-2G. IGP is EIGRP so each site also must use a GRE tunnel.

Complication: Some of the WAN circuits terminate in a different building then the encryption-capable 6500 (Thanks Verizon!). The routed (not switched) connections between the buildings (there are 3 with 2 core routers a piece) are nearly a  full mesh and I would prefer not to configure encryption on every one of the routed interfaces

Desired goal: On the encryption-capable 6500, configure 1 loopback per GRE tunnel. The GRE sources are the serial interface on the WAN router and the site-specific loopback and the tunnel needs to be secured with IPSEC and accelerated with the VPN accelerator card. Avoid lots of encryption commands on the routed links between buildings

I know how to do it if the WAN routers terminate locally on the encryption-capable 6500, but when they are remote and routed the answer appears be non-trivial, at least to me.

Thanks

1 REPLY
Cisco Employee

Re: Can VPN terminate on loopback?

I'm not sure to fully understand your questions, but a tunnel can end on any routed interface, if you set a tunnel with tunnel source {local_loopback} and tunnel destination {remote_loopback} then that'll work.

As far as I understand, you need several tunnels, some with encryption, some without.

What I would advice is using GRE tunnels for unencrypted tunnels and IPSEC Tunnels with VTI (routed) interfaces, so that you can have multiples tunnels, some with encryption, some without.

Here a config sample:

int Lo0

ip add 1.1.1.1 255.255.255.255

int tun0

descr unencrypted GRE Tunnel

tunnel mode gre

tunnel source lo0

tunnel dest 2.2.2.2 ! remote router 1

exit

!ipsec vti

crypto ipsec transform-set ts1 esp-aes

crypto ipsec profile pf1

      set transform-set ts1

      exit

int tun1

descr encrypted ipsec tunnel

tunnel source lo0 ! can be any interface

tunnel dest 3.3.3.3 ! remote router 2

tunnel mode ipsec ipv4

tunnel protection ipsec profile ts1

More informations here:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html

547
Views
0
Helpful
1
Replies
CreatePlease to create content