Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSEC tunnel using loopbacks and PBR


I recently set up an IPSEC VPN between two routers, I used loopback interfaces as the two peers, but I had to configure PBR in order for the the tunnel to work. Do I have to always configure PBR when using loopbacks in IPSEC? if so then why won't it work with normal routing to the loopback interface?



  • VPN
Everyone's tags (3)

IPSEC tunnel using loopbacks and PBR

I can't think of anything preventing you from using regular routing. Just make the subnet on the remote site reachable through the loopback interface and vice-versa.

New Member

IPSEC tunnel using loopbacks and PBR

I'll make sure to try again, because I read on several places online that if you route traffic into the loopback (in order for it to hit the crypto-map) with a regular static route, the traffic fails and so it did. but when i did it with PBR and "set interface loopback0" it worked.

Hall of Fame Super Silver

IPSEC tunnel using loopbacks and PBR


When I read your original post I understood that you were using the loopback interface address as the peer address. That is a fairly common practice. When I read your follow  up post it sounds like you have configured the crypto map on the loopback interface. That is not a common practice and I can understand that if you just routed traffic with the loopback as the next hop why the UPSec did not work. The usual practice is to configure the crypto map on the physical interface through which the traffic will go.



Cisco Employee

IPSEC tunnel using loopbacks and PBR

crypto maps are not supported on loopback interfaces.

You can think of it like this "Crypto map desginates an interface on which encrypted traffic will be received on this device".

What you're most likely is to set the local-address on crypto map.