Crypto map applied on loopback interface

Discussion in 'Cisco' started by Sebastian, Apr 15, 2005.

  1. Sebastian

    Sebastian Guest


    The folowing problem has already been touched here several times, but
    suggested solutions can not be applied to my case.

    I need to provide each group of Cisco VPN users separate ip address
    for termination the ipsec sessions. I plan to dedicate each of the
    a separate loopback interface with dedicated crypto map applied.

    I made initial tests, and what I see is that the ipsec session is
    established, but except the loopback IP addres (which is ipsec tunnel
    endpoint) I can not ping any interface on the same router.

    I susspect, that the problem is with the routing definition.
    The remote session instals only the route to remote VPN client but
    does not say anything that the traffic should be send via ipsec tunnel
    (so it goes thru phisical interface using global routing policies)

    When I force the local traffic to go thru the ipsec tunnel, I received
    an answer.

    route-map MYTEST permit 10
    set interface Loopback0

    ip local policy route-map MYTEST

    So my susspecion were correct.
    Problem is that I plan to use lot of loopbacks and each group of VPN
    cliens is to be terminated within different VRF, so the temporary
    solution with route-map is not a good solution.

    Do you have any idea:
    1. Why it works (or rather does not work) that way
    2. Is is a bug or my misconfiguration, because if I can apply the
    crypto map on interface, it should work without any problem.

    I can not use crypto "map primary-map local-address loopback0" as
    somewhere suggested, because I am using dynamic crypto map, and they
    all reference to one silngle static crypto map which is now aplied to
    single internet facing interface.

    Sebastian, Apr 15, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.