Using Loopback Interface as Source GRE/IPSec tunnel
Hi all:
I need one to spend a working router to router VPN tunnel using an IP WAN IP interface loopback as a source. I am able to ping the loopback from the other router. As soon as I change the source of tunnel to use the loopback IP address, change the encryption ACL map, and move the cryptographic card of the WAN interface to the loopback interface, the tunnel will not come to the top. If I remove all the crypto config, the tunnel comes up fine as just a GRE tunnel. On the other router, I see the message that says that's not encrypting the traffic below.
* 00:10:33.515 Mar 1: % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet. (ip) vrf/adr_dest = 192.168.0.1, src_addr = 192.168.1.2, prot = 47
What Miss me? Is there something else that needs to be done to use the closure of a GRE/IPSec tunnel?
I have install below config in the laboratory to see if I can get it even work in a non-production environment.
R1 WAN IP: 192.168.0.1
R2 WAN IP: 192.168.0.2
R2 Closure: 192.168.1.2
hostname R2
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key abc123 address 192.168.0.1
!
Crypto ipsec transform-set esp-3des esp-md5-hmac T1
transport mode
!
crypto map 1 VPN ipsec-isakmp
Description remote control
defined peer 192.168.0.1
game of transformation-T1
match address VPN1
!
interface Loopback0
IP 192.168.1.2 255.255.255.255
VPN crypto card
!
Tunnel1 interface
IP 172.30.240.2 255.255.255.252
IP mtu 1440
KeepAlive 10 3
tunnel source 192.168.1.2
tunnel destination 192.168.0.1
VPN crypto card
!
interface FastEthernet0
IP 192.168.0.2 255.255.255.0
!
VPN1 extended IP access list
allow ACCORD 192.168.1.2 host 192.168.0.1
you have tried to add "card crypto VPN 1 - address Loopback0".
Tags: Cisco Security
Similar Questions
-
Problem on the establishment of a GRE/IPsec tunnel between 2 cisco routers
Hello world
I am trying to establish a GRE IPsec tunnel between two cisco routers (2620XM and a 836).
I created a tunnel interfaces on both routers as follows.
2620XM
interface Tunnel0
IP 10.1.5.2 255.255.255.252
tunnel source x.x.x.x
tunnel destination y.y.y.y
end
836
interface Tunnel0
IP 10.1.5.1 255.255.255.252
tunnel source y.y.y.y
tunnel destination x.x.x.x
end
and configuration of isakmp/ipsec as follows,
2620XM
crypto ISAKMP policy 10
md5 hash
preshared authentication
ISAKMP crypto key {keys} address y.y.y.y no.-xauth
!
!
Crypto ipsec transform-set esp - esp-md5-hmac to_melissia
!
myvpn 9 ipsec-isakmp crypto map
defined peer y.y.y.y
Set transform-set to_melissia
match address 101
2620XM-router #sh ip access list 101
Expand the access IP 101 list
10 permit host x.x.x.x y.y.y.y host will
836
crypto ISAKMP policy 10
md5 hash
preshared authentication
ISAKMP crypto key {keys} address x.x.x.x No.-xauth
!
!
Crypto ipsec transform-set esp - esp-md5-hmac to_metamorfosi
!
myvpn 10 ipsec-isakmp crypto map
defined peer x.x.x.x
Set transform-set to_metamorfosi
match address 101
836-router #sh access list 101
Expand the access IP 101 list
10 licences will host host x.x.x.x y.y.y.y
Unfortunately I had no isakmp security associations at all and when I enter the debugging to this output.
CRYPTO: IPSEC (crypto_map_check_encrypt_core): CRYPTO: removed package as currently being created cryptomap.
Any ideas why I get this result? Any help will be a great help
Thank you!!!
I think it's possible. It seems to me that you are assuming that the address of the interface where goes the card encryption is peering address. While this is the default action, it is possible to configure it differently.
As you have discovered the card encryption must be on the physical output interface. If you want the peering address to have a different value of the physical interface address outgoing, then you can add this command to your crypto card:
card crypto-address
so if you put loopback0 as the id_interface then he would use loopback0 as peering address even if the card encryption may be affected on serial0/0 or another physical interface.
HTH
Rick
-
Can I use private as Source IPs from a remote network IP addresses while building the IPSec tunnel? If not why? If so, how?
Your explanation is much appreciated.
Hi Deepak,
In such a situation, you usually NAT traffic that goes to the internet, but exempt traffic that goes through the VPN, because it will be wrapped in packages with public IP (tunnel) addresses. You can use the same IP address on your interface in the face of internet for the NAT/PAT and source of IPSEC Tunnel.
-
Using the loopback address to identify the IPsec peer
I have two IOS routers and you want to use the loopback address on the remote router as address such peer recommended in documents such as "Configuration with EIGRP and IPX using GRE Tunneling IPSec."
On the local router, I identify the remote router via its address and loopback on the remote router, I configure crypto MYMAP map interface S0/0 and BRI1/0 (with nothing configured on the other than the IP address loopback interface)
When I establish an IPsec tunnel from the remote router, it uses the interface S0/0 as its source address.
I tried to configure card crypto MYMAP on loopback0 instead of BRI1/0 and S0/0, but it did not work.
How can I get the remote router to use as source address loopback address?
Thanks in advance for any help offered.
Try to use the "crypto-loopback address 0.
-Dembélé
-
GRE over IPSec tunnel cannot pass traffic through it
I am trying to configure a GRE over IPSec tunnel between sites, we use the router cisco 7613 SUP720 (IOS: s72033-advipservicesk9_wan - mz.122 - 18.SXF15a.bin) and 3845 router (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), we are facing problems when we use the tunnel because traffic is not passing through it. the configuration was working when we were using two routers cisco 3845 (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), but for some reason, it doesn't work anymore when I paste the configuration on the new 7613 router.
Head office
crypto ISAKMP policy 10
BA aes
preshared authentication
Group 5
ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
!
!
Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
transport mode
!
map PLC - CUM 10 ipsec-isakmp crypto
defined by peer 167.134.216.89
game of transformation-IPSec_PLC
match address 100
!
!
!
Tunnel1 interface
bandwidth 1984
IP 167.134.216.94 255.255.255.252
Mtu 1476 IP
load-interval 30
source of tunnel Serial0/1/0:0
tunnel destination 167.134.216.89interface Serial0/1/0:0
IP 167.134.216.90 255.255.255.252
card crypto PLC - CUMaccess-list 100 permit gre 167.134.216.90 host 167.134.216.8
Router eigrp 100
network 167.134.216.92 0.0.0.3Directorate-General of the
crypto ISAKMP policy 10
BA aes
preshared authentication
Group 5
ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
!
!
Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
transport mode
!
map PLC - CUM 10 ipsec-isakmp crypto
defined by peer 167.134.216.90
game of transformation-IPSec_PLC
match address 100Tunnel1 interface
bandwidth 1984
IP 167.134.216.93 255.255.255.252
Mtu 1476 IP
load-interval 30
source of tunnel Serial1/0/0:1
tunnel destination 167.134.216.90interface Serial1/0/0:1
bandwidth 1984
IP 167.134.216.89 255.255.255.252
IP access-group 101 in
load-interval 30
no fair queue
card crypto PLC - CUMaccess-list 100 permit gre 167.134.216.89 host 167.134.216.90
ER-7600 #sh crypto isakmp his
conn-id State DST CBC slot
167.134.216.89 167.134.216.90 QM_IDLE 3 0ER-3845 #sh crypto isakmp his
status of DST CBC State conn-id slot
167.134.216.89 167.134.216.90 QM_IDLE 3 0 ACTIVEER-3845 #sh active cryptographic engine connections
Algorithm of address State IP Interface ID encrypt decrypt
3 Serial0/1/0: 167.134.216.90 0 HMAC_SHA + AES_CBC 0 0 value
3001 Serial0/1/0: 167.134.216.90 0 set AES + SHA 0 0
3002 Serial0/1/0: 167.134.216.90 0 set AES + SHA 61 0ER-7600 #sh active cryptographic engine connections
Algorithm of address State IP Interface ID encrypt decrypt
3 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0
2000 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + 0 66 AES_CBC
2001 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0I had this error on the er-3845: % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet and this one on the IPSEC (epa_des_crypt) UH-7600: decrypted packet has no control of his identity
Please help, it's so frustrating...
Thanks in advance
Oscar
Here is a document from cisco, mentioning clearly for a card encryption on the two physical as tunnel interface well.
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008009438e.shtml
It may be useful
Manish
-
An interface of multipoint GRE tunnel on two physical interfaces?
Hi all
I use DMVPN double single cloud VPN network of hubs.
Our shelves (C831 SRI) are connected to the dynamic DHCP ISP and dynamic PPPoE ISP. I want to install a temporary kit that fits anywhere. Here is the configuration of my my ISP PPPoE tunnel:
interface Tunnel0
bandwidth 1000
IP 172.23.2.254 255.255.252.0
no ip redirection
IP mtu 1436
property intellectual PNDH authentication xxxxxx
map of PNDH 172.16.0.1 IP 230.2.2.1map of PNDH IP multicast 230.2.2.1
map of PNDH 172.16.0.2 IP 230.2.2.2
map of PNDH IP multicast 230.2.2.1
PNDH id network IP-900001
property intellectual PNDH holdtime 300
property intellectual PNDH nhs 172.16.0.1
property intellectual PNDH nhs 172.16.0.2
delay of 1000
source of Dialer1 tunnel
multipoint gre tunnel mode
tunnel key xxxxxx
Tunnel MyIPSecProf ipsec protection profileFor my ISP DHCP, I only change the Ethernet1 tunnel source.
Is it possible to configure tunnel interfaces different related 2 on 2 physical interfaces (like: 1 Ethernet1 and 1 in Dialer1). The challenge is that I can not change the configuration of hubs at all. So I can't put the ip address of the tunnel in 2 different subnet. There is only 1 tunnel on the hub interface
Someone has an idea?
Thank you very much
Yes, I see it now. Unnumbered IP will provide the interface to the MTR and tunnel interface you have is point-to-multipoint. I'm afraid that there is no good solution to your needs.
Kind regards
Lei Tian
-
Hello...
Is there a way to configure an IPSEC VPN with a source interface as in a router? This is a site to site VPN. I want to use a loopback interface.
When I set up a VPN, the only option is the IP address of the interface where the traffic is going out.
Thank you.
Which interface you enable ipsec on is the source interface.
MyMap [interface name] crypto map interface
ASA does not support the telesignalisations it is not possible.
-
Setting KeepAlive on GRE over IPSEC tunnel
Hello world
Need to know if there are benefits of the KeepAlive on GRE over IPSEC implementation that goes over the Wan. ?
We currently have no KeepAlive on GRE tunnel.
If we config KeepAlive on both ends of the ACCORD it will cause any overload or the CPU load?
Thank you
MAhesh
If you use a routing on the GRE tunnel protocol you should use KeepAlive WILL not, but I would probably recommend use KeepAlive WILL anyway for the following reasons:
1. the overload caused by the GRE KeepAlive is quite small, it should not affect the ability to pass traffic
2. If you ever want to use tracking interface for roads or the static routes that you can interface WILL detect it descend as quickly as possible
I know that your IPSec device is separate, so I'd probably also enable KeepAlive on the IPSec tunnel as well.
-
How to troubleshoot an IPSec tunnel GRE?
Hello
My topology includes two firewalls connected through the Internet "" (router) and behind each firewall, there is a router.
The routers I configured a GRE tunnel that is successful, then I configured an IPsec tunnel on the firewall.
I does not change the mode to transport mode in the transform-set configuration.
Everything works; If I connect a PC to the router, it can ping another PC on the other router. However if I change mode of transport mode that they cannot.
I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?
Thank you.
I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?
To verify that the VPN tunnel works well, check the output of
ISAKMP crypto to show his
Crypto ipsec to show hisHere are the commands of debug
Debug condition crypto x.x.x.x, where x.x.x.x IP = peer peer
Debug crypto isakmp 200
Debug crypto ipsec 200You will see ACTIVE int the first output and program non-zero and decaps on the output of the latter.
For the GRE tunnel.
check the condition of the tunnel via "int ip see the brief.In addition, you can configure keepalive via the command:
Router # configure terminal
Router (config) #interface tunnel0
Router(Config-if) 5 4 #keepaliveand then run "debug keepalive tunnel" to see packets hello tunnel going and coming from the router.
Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
Hello
I have a question where I nee to close a tunnel IPSEC and GRE on my hub, is this possible?
The GRE tunnel will be in the IPSEC tunnel.
No. I don't think that you can terminate a GRE tunnel on a concentartor. What you can do is to put an end to a GRE tunnel on a router behind the hub. The tunnel can go through the hub. You can specify the traffic between the source/destination as interetsting and things should work fine.
-
Use BGP to Loopback interfaces
Hello
have seen it several times this loopback interfaces are used to iBGP routers to connect nearby instead of direct physical interface.
Is this done bacuase Loopback interfaces are still rising (but then I wonder if the physical/link interface breaks down is not the same result!) it also means that a PGI like OSPF or EIGRP must be running to provide communication between the loopback interfaces which is necessary to establish an iBGP connectivity?
Thank you
Hello
If you use a loop or a physical interface will always require you an IGP with IBGP because is not a routing protocol is a transport L4 so the IGP Protocol it informs how stands as the BGP has no idea who he IGP is necessary
Interns are selected for IBGP because it there once so the IGP has always a looping path the IBGP session will stay up, don't not necessary in EBGP as usually only 1 way between 2 points
-
Create the Ipsec tunnel using digital certificates
Hello
I try to open the IPSEC tunnel between 2 3800 of Cisco routers using additional 3800 router as a CA server.
Before that I added the CA server all go smoothly.
Attached is my configuration, attached debug commands from the configuration of server and router CA
It seems that the routers does not receive the certificate of the CA (R3) router because I see the certificate is awaiting status:
#
R3 #.
R3 #show cryptographic pki certificate cisco talkative
CA
Status: available
Version: 3
Certificate serial number (hex): 01
Use of certificates: Signature
Issuer:
CN = cisco1. Cisco.com L\ = RTP it\ = US
Object:
CN = cisco1. Cisco.com L\ = RTP it\ = US
Validity date:
start date: 10:12:13 UTC Sep 8 2013
end date: 10:12:13 UTC Sep 7 2016
Subject key information:
Public key algorithm: rsaEncryption
RSA Public Key: (512 bits)
Signature algorithm: MD5 with RSA encryption
Fingerprint MD5: FAB9FFF7 87B580F3 7A65627E 56A378C9
Fingerprint SHA1: F26CD817 91F8129D A9E46671 07E26F1E 55422DCD
X509v3 extensions:
X509v3 Key use: 86000000
Digital signature
Key Cert sign
Signature of the CRL
X509v3 subject Key ID: 56F091F7 7016A63F B 89, 46900 B13E6719 8B0D548E
X509v3 Basic Constraints:
CA: TRUE
X509v3 Authority Key ID: 56F091F7 7016A63F B 89, 46900 B13E6719 8B0D548E
Access to information the authority:
Related Trustpoints: cisco
Storage: nvram:cisco1ciscoc #4CA.cerR3 #.
Appreciate your support and I will send additional if necessary evidence
TX
Roee
I didn't look at your configuration, but accroding to your description, it seems that you have not approved the certificate requests pending on your router CA. Here are the commands that you need:
To view the pending requests:
information cryptographic pki server router 'CA '.
To grant requests pending:
Info Server 'CA' router cryptographic pki grant all
-
IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and static
Hello
My problem isn't really the IPSec connection between two devices (it is already done...) But my problem is that I have a mail server on the site of Cisco, who have a static NAT from inside to outside. Due to the static NAT, I do not see the server in the VPN tunnel. I found a document that almost describes the problem:
"Configuration of a router IPSEC Tunnel private-to-private network with NAT and static" (Document ID 14144)
NAT takes place before the encryption verification!
In this document, the solution is 'routing policy' using the loopback interface. But, how can I handle this with the Netscreen firewall. Someone has an idea?
Thanks for any help
Best regards
Heiko
Hello
Try to change your static NAT with static NAT based policy.
That is to say the static NAT should not be applicable for VPN traffic
permissible static route map 1
corresponds to the IP 104
access-list 104 refuse host ip 10.1.110.10 10.1.0.0 255.255.0.0
access-list 104 allow the host ip 10.1.110.10 all
IP nat inside source static 10.1.110.10 81.222.33.90 map of static route
HTH
Kind regards
GE.
-
Hi all
I have just set up an IPSec tunnel, except use debug crypto ipsec / isakmp how can I check IPSec works? When I configure the encryption card, can I use ip of the tunnel as the peer address.
Thanks in advance.
Banlan
Hi Banlan,
Thanks for your appreciation. I feel honoured!
Back to your question about free WILL inside the IPSec, you must use the gre as the Protocol in the access list; This right, shud you get points for that! (because the ip packet is encapsulated by GRE and then AH / ESP headers are added). Also remember that the ip address as the destination of the tunnel should be globally routable. You cannot use tunneling as a destination of the tunnel (except of course when the routers are connected back to back)
See the following configs for GRE inside IPSec.
! ON THE INITIATOR
...
...
access-list 110 permit host WILL
...
12 crypto isakmp policy
preshared authentication
!
address ISAKMP crypto key xxxxx
Crypto ipsec transform-set esp TS - a
!
card 11 CM ipsec-isakmp crypto
defined by peers
game of transformation-TS
match address 110
!
tunnel1 interface
IP unnumbered
source of tunnel
tunnel destination
card crypto CM
!
interface
card crypto CM
!
IP route x.x.x.x tunnel1
! ON THE ANSWERING MACHINE
...
...
access-list 111 allow host WILL
...
crypto ISAKMP policy 11
preshared authentication
!
address ISAKMP crypto key xxxxx
Crypto ipsec transform-set esp TS - a
!
Map 10 CM ipsec-isakmp crypto
defined by peers
game of transformation-TS
match address 111
!
interface tunnels2
IP unnumbered
source of tunnel
tunnel destination
card crypto CM
!
interface
card crypto CM
!
IP route x.x.x.x tunnels2
I think you have the answer now. Catch me if you want something else.
Cheers :-))
Naveen
-
Tunnel traffic inside IPSEC tunnel
Hello world
Site has a Site B through ASA IP Sec Tunnel.
Now turn on Site a GRE tunnel and the tunnel destination is happening inside the IPSEC tunnel.
In other words, IPSEC tunnel between 2 sites also leads the GRE Tunnel traffic.
Who's in charge, I can run on ASA whether IPSEC is transport traffic of the GRE tunnel or
Which line in config ASA will tell me that this IPSEC also conducts traffic GRE tunnel?
Thank you
MAhesh
Hello
I think that you will probably see GRE in the ASA connection table when the connection is in use.
You can try the command
Show conn | Volition Inc.
And see if this produceses matter what exit.
Can you possibly provide "interface Tunnelx" configurations and if its using other interfaces such as 'tunnel source' and 'destination tunnel' then their configurations also.
-Jouni
Maybe you are looking for
-
Safari crashes (web content safari quit unexpectedly) and kernel panics
Hello MacBook pro 15 "2014 in intermittent safari breaks down (content of web safari quit unexpectedly) and the kernel panics. No particular clock or its use, it happens randomly after a few min\hours\days... cannot reproduce while troubleshooting...
-
Upgrade memory for Satellite U200: are supported with 667 mhz modules?
I am a new user and I'm on a Toshiba Sat U-200-115. I want to upgrade, and I intend to do an upgrade to 4 GB. What I want to know, although it said this laptop supports the upgrade to 4 Gig, but this model use a DDR2 533 MHz memory. Considering that
-
My dvdrw has an extra four charactors there id how can I get rid of them instance
When I was tired one night and try to burn a dvd, he began to write when the action you want to take approached and screwed the copy that I was up to. I think I put take no action and he gave me an option and that it would be permanent. I was tired s
-
Properties Photosamrt C4480 HP printer
When you select the printer properties for a right click on the printer icon in the devices and printers, it will open the Properties window, but when I select the Advanced tab, it is all gray, can't do anything. I checked the tab security and printi
-
BlackBerry Smartphones, Facebook and Yahoo mail app
Hello I have a blackberry torch last week and beat me to configure yahoo mail and access the facebook application. I don't have an option to add the internet e-mail (POP) only one company in my email settings! all ideas welcome? I am also struggling