Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

GRE/IPSec Tunnel using Loopback Interface as Source

Hi All:

I need a to switch a currently working router to router VPN tunnel from using a WAN interface IP address to a loopback inteface IP as the source.  I am able to ping the loopback from the other router.  As soon as I change the tunnel source to use the loopback IP, change the crypto map ACL, and move the crypto map from the WAN interface to the loopback interface, the tunnel will not come up.  If I remove all the crypto config, the tunnel comes up fine as just an GRE tunnel.  On the other router, I see the below message which looks like it isn't encryption the traffic.

*Mar  1 00:10:33.515: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.0.1, src_addr= 192.168.1.2, prot= 47

What am I missing?  Is there anything else that needs to be done to use the loopback for a GRE/IPSec tunnel?

I've setup the below config in the lab to see if I can even get it working in a non-production enviroment.

R1 WAN IP: 192.168.0.1

R2 WAN IP: 192.168.0.2

R2 Loopback: 192.168.1.2

hostname R2

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key abc123 address 192.168.0.1

!

crypto ipsec transform-set T1 esp-3des esp-md5-hmac

mode transport

!

crypto map VPN 1 ipsec-isakmp

description Remote

set peer 192.168.0.1

set transform-set T1

match address VPN1

!

interface Loopback0

ip address 192.168.1.2 255.255.255.255

crypto map VPN

!

interface Tunnel1

ip address 172.30.240.2 255.255.255.252

ip mtu 1440

keepalive 10 3

tunnel source 192.168.1.2

tunnel destination 192.168.0.1

crypto map VPN

!

interface FastEthernet0

ip address 192.168.0.2 255.255.255.0

!

ip access-list extended VPN1

permit GRE host 192.168.1.2 host 192.168.0.1

1 ACCEPTED SOLUTION

Accepted Solutions

Re: GRE/IPSec Tunnel using Loopback Interface as Source

have you tried adding "crypto map VPN 1 local-address Loopback0"

5 REPLIES

Re: GRE/IPSec Tunnel using Loopback Interface as Source

have you tried adding "crypto map VPN 1 local-address Loopback0"

Re: GRE/IPSec Tunnel using Loopback Interface as Source

Example

crypto dynamic-map dyna1 10

set transform-set 3des-sha

reverse-route

!

crypto map vpn1 local-address Loopback0

crypto map vpn1 100 ipsec-isakmp dynamic dyna1

!

interface (Interface you/re terminating crypto)

description INTERNET_FACING_INTERFACE

ip address

crypto map vpn1

New Member

Re: GRE/IPSec Tunnel using Loopback Interface as Source

Actually, this fixed it.   It was a combination of adding "crypto map VPN local-address Loopback0" and keeping the "crypto map VPN" on the WAN intefaces (not on the loopback).

Thanks for everybody's help!

Patrick

New Member

Re: GRE/IPSec Tunnel using Loopback Interface as Source

I tried your suggestion of adding "crypto map VPN local-address Loopback0".  However, it doesn't look like that fixed it.  

For the dyamic-map, I'm not sure I understand what that is trying to do.

Thanks for the help.

Hall of Fame Super Gold

Re: GRE/IPSec Tunnel using Loopback Interface as Source

I'm seeing some inconsistency here.

R2 Loopback: 192.168.1.2
crypto isakmp key abc123 address 192.168.0.1
tunnel destination 192.168.0.1
and
permit GRE host 192.168.1.2 host 192.168.0.1

Should this be "crypto isakmp key abc123 address 192.168.1.2"?

13533
Views
0
Helpful
5
Replies