Using Loopback Interface as Source GRE/IPSec tunnel

Similar Questions

• Problem on the establishment of a GRE/IPsec tunnel between 2 cisco routers

  Hello world

  I am trying to establish a GRE IPsec tunnel between two cisco routers (2620XM and a 836).

  I created a tunnel interfaces on both routers as follows.

  2620XM

  interface Tunnel0

  IP 10.1.5.2 255.255.255.252

  tunnel source x.x.x.x

  tunnel destination y.y.y.y

  end

  836

  interface Tunnel0

  IP 10.1.5.1 255.255.255.252

  tunnel source y.y.y.y

  tunnel destination x.x.x.x

  end

  and configuration of isakmp/ipsec as follows,

  2620XM

  crypto ISAKMP policy 10

  md5 hash

  preshared authentication

  ISAKMP crypto key {keys} address y.y.y.y no.-xauth

  !

  !

  Crypto ipsec transform-set esp - esp-md5-hmac to_melissia

  !

  myvpn 9 ipsec-isakmp crypto map

  defined peer y.y.y.y

  Set transform-set to_melissia

  match address 101

  2620XM-router #sh ip access list 101

  Expand the access IP 101 list

  10 permit host x.x.x.x y.y.y.y host will

  836

  crypto ISAKMP policy 10

  md5 hash

  preshared authentication

  ISAKMP crypto key {keys} address x.x.x.x No.-xauth

  !

  !

  Crypto ipsec transform-set esp - esp-md5-hmac to_metamorfosi

  !

  myvpn 10 ipsec-isakmp crypto map

  defined peer x.x.x.x

  Set transform-set to_metamorfosi

  match address 101

  836-router #sh access list 101

  Expand the access IP 101 list

  10 licences will host host x.x.x.x y.y.y.y

  Unfortunately I had no isakmp security associations at all and when I enter the debugging to this output.

  CRYPTO: IPSEC (crypto_map_check_encrypt_core): CRYPTO: removed package as currently being created cryptomap.

  Any ideas why I get this result? Any help will be a great help

  Thank you!!!

  I think it's possible. It seems to me that you are assuming that the address of the interface where goes the card encryption is peering address. While this is the default action, it is possible to configure it differently.

  As you have discovered the card encryption must be on the physical output interface. If you want the peering address to have a different value of the physical interface address outgoing, then you can add this command to your crypto card:

  card crypto-address

  so if you put loopback0 as the id_interface then he would use loopback0 as peering address even if the card encryption may be affected on serial0/0 or another physical interface.

  HTH

  Rick

• Can I use private as Source IPs from a remote network IP addresses while building the IPSec tunnel?

  Can I use private as Source IPs from a remote network IP addresses while building the IPSec tunnel? If not why? If so, how?

  Your explanation is much appreciated.

  Hi Deepak,

  In such a situation, you usually NAT traffic that goes to the internet, but exempt traffic that goes through the VPN, because it will be wrapped in packages with public IP (tunnel) addresses. You can use the same IP address on your interface in the face of internet for the NAT/PAT and source of IPSEC Tunnel.

• Using the loopback address to identify the IPsec peer

  I have two IOS routers and you want to use the loopback address on the remote router as address such peer recommended in documents such as "Configuration with EIGRP and IPX using GRE Tunneling IPSec."

  On the local router, I identify the remote router via its address and loopback on the remote router, I configure crypto MYMAP map interface S0/0 and BRI1/0 (with nothing configured on the other than the IP address loopback interface)

  When I establish an IPsec tunnel from the remote router, it uses the interface S0/0 as its source address.

  I tried to configure card crypto MYMAP on loopback0 instead of BRI1/0 and S0/0, but it did not work.

  How can I get the remote router to use as source address loopback address?

  Thanks in advance for any help offered.

  Try to use the "crypto-loopback address 0.

  -Dembélé

• GRE over IPSec tunnel cannot pass traffic through it

  I am trying to configure a GRE over IPSec tunnel between sites, we use the router cisco 7613 SUP720 (IOS: s72033-advipservicesk9_wan - mz.122 - 18.SXF15a.bin) and 3845 router (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), we are facing problems when we use the tunnel because traffic is not passing through it. the configuration was working when we were using two routers cisco 3845 (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), but for some reason, it doesn't work anymore when I paste the configuration on the new 7613 router.

  Head office

  crypto ISAKMP policy 10
  BA aes
  preshared authentication
  Group 5
  ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
  !
  !
  Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
  transport mode
  !
  map PLC - CUM 10 ipsec-isakmp crypto
  defined by peer 167.134.216.89
  game of transformation-IPSec_PLC
  match address 100
  !
  !
  !
  Tunnel1 interface
  bandwidth 1984
  IP 167.134.216.94 255.255.255.252
  Mtu 1476 IP
  load-interval 30
  source of tunnel Serial0/1/0:0
  tunnel destination 167.134.216.89

  interface Serial0/1/0:0
  IP 167.134.216.90 255.255.255.252
  card crypto PLC - CUM

  access-list 100 permit gre 167.134.216.90 host 167.134.216.8

  Router eigrp 100
  network 167.134.216.92 0.0.0.3

  Directorate-General of the

  crypto ISAKMP policy 10
  BA aes
  preshared authentication
  Group 5
  ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
  !
  !
  Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
  transport mode
  !
  map PLC - CUM 10 ipsec-isakmp crypto
  defined by peer 167.134.216.90
  game of transformation-IPSec_PLC
  match address 100

  Tunnel1 interface
  bandwidth 1984
  IP 167.134.216.93 255.255.255.252
  Mtu 1476 IP
  load-interval 30
  source of tunnel Serial1/0/0:1
  tunnel destination 167.134.216.90

  interface Serial1/0/0:1
  bandwidth 1984
  IP 167.134.216.89 255.255.255.252
  IP access-group 101 in
  load-interval 30
  no fair queue
  card crypto PLC - CUM

  access-list 100 permit gre 167.134.216.89 host 167.134.216.90

  ER-7600 #sh crypto isakmp his
  conn-id State DST CBC slot
  167.134.216.89 167.134.216.90 QM_IDLE 3 0

  ER-3845 #sh crypto isakmp his
  status of DST CBC State conn-id slot
  167.134.216.89 167.134.216.90 QM_IDLE 3 0 ACTIVE

  ER-3845 #sh active cryptographic engine connections

  Algorithm of address State IP Interface ID encrypt decrypt
  3 Serial0/1/0: 167.134.216.90 0 HMAC_SHA + AES_CBC 0 0 value
  3001 Serial0/1/0: 167.134.216.90 0 set AES + SHA 0 0
  3002 Serial0/1/0: 167.134.216.90 0 set AES + SHA 61 0

  ER-7600 #sh active cryptographic engine connections

  Algorithm of address State IP Interface ID encrypt decrypt
  3 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0
  2000 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + 0 66 AES_CBC
  2001 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0

  I had this error on the er-3845: % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet and this one on the IPSEC (epa_des_crypt) UH-7600: decrypted packet has no control of his identity

  Please help, it's so frustrating...

  Thanks in advance

  Oscar

  Here is a document from cisco, mentioning clearly for a card encryption on the two physical as tunnel interface well.

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008009438e.shtml

  It may be useful

  Manish

• An interface of multipoint GRE tunnel on two physical interfaces?

  Hi all

  I use DMVPN double single cloud VPN network of hubs.

  Our shelves (C831 SRI) are connected to the dynamic DHCP ISP and dynamic PPPoE ISP.  I want to install a temporary kit that fits anywhere.  Here is the configuration of my my ISP PPPoE tunnel:

  interface Tunnel0
  bandwidth 1000
  IP 172.23.2.254 255.255.252.0
  no ip redirection
  IP mtu 1436
  property intellectual PNDH authentication xxxxxx
  map of PNDH 172.16.0.1 IP 230.2.2.1

  map of PNDH IP multicast 230.2.2.1
  map of PNDH 172.16.0.2 IP 230.2.2.2
  map of PNDH IP multicast 230.2.2.1
  PNDH id network IP-900001
  property intellectual PNDH holdtime 300
  property intellectual PNDH nhs 172.16.0.1
  property intellectual PNDH nhs 172.16.0.2
  delay of 1000
  source of Dialer1 tunnel
  multipoint gre tunnel mode
  tunnel key xxxxxx
  Tunnel MyIPSecProf ipsec protection profile

  For my ISP DHCP, I only change the Ethernet1 tunnel source.

  Is it possible to configure tunnel interfaces different related 2 on 2 physical interfaces (like: 1 Ethernet1 and 1 in Dialer1).  The challenge is that I can not change the configuration of hubs at all.  So I can't put the ip address of the tunnel in 2 different subnet.  There is only 1 tunnel on the hub interface

  Someone has an idea?

  Thank you very much

  Yes, I see it now. Unnumbered IP will provide the interface to the MTR and tunnel interface you have is point-to-multipoint. I'm afraid that there is no good solution to your needs.

  Kind regards

  Lei Tian

• Interface Source ASA IPSEC

  Hello...

  Is there a way to configure an IPSEC VPN with a source interface as in a router? This is a site to site VPN. I want to use a loopback interface.

  When I set up a VPN, the only option is the IP address of the interface where the traffic is going out.

  Thank you.

  Which interface you enable ipsec on is the source interface.

  MyMap [interface name] crypto map interface

  ASA does not support the telesignalisations it is not possible.

• Setting KeepAlive on GRE over IPSEC tunnel

  Hello world

  Need to know if there are benefits of the KeepAlive on GRE over IPSEC implementation that goes over the Wan. ?

  We currently have no KeepAlive on GRE tunnel.

  If we config KeepAlive on both ends of the ACCORD it will cause any overload or the CPU load?

  Thank you

  MAhesh

  If you use a routing on the GRE tunnel protocol you should use KeepAlive WILL not, but I would probably recommend use KeepAlive WILL anyway for the following reasons:

  1. the overload caused by the GRE KeepAlive is quite small, it should not affect the ability to pass traffic

  2. If you ever want to use tracking interface for roads or the static routes that you can interface WILL detect it descend as quickly as possible

  I know that your IPSec device is separate, so I'd probably also enable KeepAlive on the IPSec tunnel as well.

• How to troubleshoot an IPSec tunnel GRE?

  Hello

  My topology includes two firewalls connected through the Internet "" (router) and behind each firewall, there is a router.

  The routers I configured a GRE tunnel that is successful, then I configured an IPsec tunnel on the firewall.

  I does not change the mode to transport mode in the transform-set configuration.

  Everything works; If I connect a PC to the router, it can ping another PC on the other router. However if I change mode of transport mode that they cannot.

  I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?

  Thank you.

  I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?

  To verify that the VPN tunnel works well, check the output of
  ISAKMP crypto to show his
  Crypto ipsec to show his

  Here are the commands of debug
  Debug condition crypto x.x.x.x, where x.x.x.x IP = peer peer
  Debug crypto isakmp 200
  Debug crypto ipsec 200

  You will see ACTIVE int the first output and program non-zero and decaps on the output of the latter.

  For the GRE tunnel.
  check the condition of the tunnel via "int ip see the brief.

  In addition, you can configure keepalive via the command:

  Router # configure terminal
  Router (config) #interface tunnel0
  Router(Config-if) 5 4 #keepalive

  and then run "debug keepalive tunnel" to see packets hello tunnel going and coming from the router.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• GRE in IPSEC tunnel

  Hello

  I have a question where I nee to close a tunnel IPSEC and GRE on my hub, is this possible?

  The GRE tunnel will be in the IPSEC tunnel.

  No. I don't think that you can terminate a GRE tunnel on a concentartor. What you can do is to put an end to a GRE tunnel on a router behind the hub. The tunnel can go through the hub. You can specify the traffic between the source/destination as interetsting and things should work fine.

• Use BGP to Loopback interfaces

  Hello

  have seen it several times this loopback interfaces are used to iBGP routers to connect nearby instead of direct physical interface.

  Is this done bacuase Loopback interfaces are still rising (but then I wonder if the physical/link interface breaks down is not the same result!) it also means that a PGI like OSPF or EIGRP must be running to provide communication between the loopback interfaces which is necessary to establish an iBGP connectivity?

  Thank you

  Hello

  If you use a loop or a physical interface will always require you an IGP with IBGP because is not a routing protocol is a transport L4 so the IGP Protocol it informs how stands as the BGP has no idea who he IGP is necessary

  Interns are selected for IBGP because it there once so the IGP has always a looping path the IBGP session will stay up, don't not necessary in EBGP as usually only 1 way between 2 points

• Create the Ipsec tunnel using digital certificates

  Hello

  I try to open the IPSEC tunnel between 2 3800 of Cisco routers using additional 3800 router as a CA server.

  Before that I added the CA server all go smoothly.

  Attached is my configuration, attached debug commands from the configuration of server and router CA

  It seems that the routers does not receive the certificate of the CA (R3) router because I see the certificate is awaiting status:

  #
  R3 #.
  R3 #show cryptographic pki certificate cisco talkative
  CA
  Status: available
  Version: 3
  Certificate serial number (hex): 01
  Use of certificates: Signature
  Issuer:
  CN = cisco1. Cisco.com L\ = RTP it\ = US
  Object:
  CN = cisco1. Cisco.com L\ = RTP it\ = US
  Validity date:
  start date: 10:12:13 UTC Sep 8 2013
  end date: 10:12:13 UTC Sep 7 2016
  Subject key information:
  Public key algorithm: rsaEncryption
  RSA Public Key: (512 bits)
  Signature algorithm: MD5 with RSA encryption
  Fingerprint MD5: FAB9FFF7 87B580F3 7A65627E 56A378C9
  Fingerprint SHA1: F26CD817 91F8129D A9E46671 07E26F1E 55422DCD
  X509v3 extensions:
  X509v3 Key use: 86000000
  Digital signature
  Key Cert sign
  Signature of the CRL
  X509v3 subject Key ID: 56F091F7 7016A63F B 89, 46900 B13E6719 8B0D548E
  X509v3 Basic Constraints:
  CA: TRUE
  X509v3 Authority Key ID: 56F091F7 7016A63F B 89, 46900 B13E6719 8B0D548E
  Access to information the authority:
  Related Trustpoints: cisco
  Storage: nvram:cisco1ciscoc #4CA.cer

  R3 #.

  Appreciate your support and I will send additional if necessary evidence

  TX

  Roee

  I didn't look at your configuration, but accroding to your description, it seems that you have not approved the certificate requests pending on your router CA. Here are the commands that you need:

  To view the pending requests:

  information cryptographic pki server router 'CA '.

  To grant requests pending:

  Info Server 'CA' router cryptographic pki grant all

• IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and static

  Hello

  My problem isn't really the IPSec connection between two devices (it is already done...) But my problem is that I have a mail server on the site of Cisco, who have a static NAT from inside to outside. Due to the static NAT, I do not see the server in the VPN tunnel. I found a document that almost describes the problem:

  "Configuration of a router IPSEC Tunnel private-to-private network with NAT and static" (Document ID 14144)

  NAT takes place before the encryption verification!

  In this document, the solution is 'routing policy' using the loopback interface. But, how can I handle this with the Netscreen firewall. Someone has an idea?

  Thanks for any help

  Best regards

  Heiko

  Hello

  Try to change your static NAT with static NAT based policy.

  That is to say the static NAT should not be applicable for VPN traffic

  permissible static route map 1

  corresponds to the IP 104

  access-list 104 refuse host ip 10.1.110.10 10.1.0.0 255.255.0.0

  access-list 104 allow the host ip 10.1.110.10 all

  IP nat inside source static 10.1.110.10 81.222.33.90 map of static route

  HTH

  Kind regards

  GE.

• WILL secure IPSec tunnel

  Hi all

  I have just set up an IPSec tunnel, except use debug crypto ipsec / isakmp how can I check IPSec works? When I configure the encryption card, can I use ip of the tunnel as the peer address.

  Thanks in advance.

  Banlan

  Hi Banlan,

  Thanks for your appreciation. I feel honoured!

  Back to your question about free WILL inside the IPSec, you must use the gre as the Protocol in the access list; This right, shud you get points for that! (because the ip packet is encapsulated by GRE and then AH / ESP headers are added). Also remember that the ip address as the destination of the tunnel should be globally routable. You cannot use tunneling as a destination of the tunnel (except of course when the routers are connected back to back)

  See the following configs for GRE inside IPSec.

  ! ON THE INITIATOR

  ...

  ...

  access-list 110 permit host WILL

  ...

  12 crypto isakmp policy

  preshared authentication

  !

  address ISAKMP crypto key xxxxx

  Crypto ipsec transform-set esp TS - a

  !

  card 11 CM ipsec-isakmp crypto

  defined by peers

  game of transformation-TS

  match address 110

  !

  tunnel1 interface

  IP unnumbered

  source of tunnel

  tunnel destination

  card crypto CM

  !

  interface

  card crypto CM

  !

  IP route x.x.x.x tunnel1

  ! ON THE ANSWERING MACHINE

  ...

  ...

  access-list 111 allow host WILL

  ...

  crypto ISAKMP policy 11

  preshared authentication

  !

  address ISAKMP crypto key xxxxx

  Crypto ipsec transform-set esp TS - a

  !

  Map 10 CM ipsec-isakmp crypto

  defined by peers

  game of transformation-TS

  match address 111

  !

  interface tunnels2

  IP unnumbered

  source of tunnel

  tunnel destination

  card crypto CM

  !

  interface

  card crypto CM

  !

  IP route x.x.x.x tunnels2

  I think you have the answer now. Catch me if you want something else.

  Cheers :-))

  Naveen

  [email protected] / * /.

• Tunnel traffic inside IPSEC tunnel

  Hello world

  Site has a Site B through ASA IP Sec Tunnel.

  Now turn on Site a GRE tunnel and the tunnel destination is happening inside the IPSEC tunnel.

  In other words, IPSEC tunnel between 2 sites also leads the GRE Tunnel traffic.

  Who's in charge, I can run on ASA whether IPSEC is transport traffic of the GRE tunnel or

  Which line in config ASA will tell me that this IPSEC also conducts traffic GRE tunnel?

  Thank you

  MAhesh

  Hello

  I think that you will probably see GRE in the ASA connection table when the connection is in use.

  You can try the command

  Show conn | Volition Inc.

  And see if this produceses matter what exit.

  Can you possibly provide "interface Tunnelx" configurations and if its using other interfaces such as 'tunnel source' and 'destination tunnel' then their configurations also.

  -Jouni