Q: Is it possible to bind IPSEC to specific IP adress?

Discussion in 'Cisco' started by dbmasterguru, May 7, 2005.

  1. dbmasterguru

    dbmasterguru Guest

    Dear networkers,


    We have a running VPN over Internet between our HQ
    and a remote branch which works fine.
    The HQ and remote branch use static IP addresses
    and the VPN is IPSEC with manual keying.

    The VPN endpoints are a CISCO836 at the remote branch
    (connected to the Internet via ADSL/ISDN (3)) and a
    at the HQ: CISCO2820 (connected to the Internet via
    Ethernet (1)) which is also used as primary gateway
    to the Internet. See map below for details.

    Recently we established a second/backup Internet link
    for availibility purposes using a CISCO2650
    (connected to the Internet via E1 (2)). The setup
    and routing is fine, so we receive packets over (1)
    when the primary connection is up and running - and
    over (2) when the primary link (1) is down.

    Now we experienced problems with the VPN connection
    when IPSEC packets are routed over the backup link
    instead over the primary link.

    It looks like the CISCO836 is not able to establish
    the VPN link with CISCO2820 because packets are
    coming out from 1.2.3.1 (fa0/[email protected]) instead
    of 1.2.4.1 (fa0/[email protected]) which is the configured
    peer.


    We already took a look at "IPSEC preferred peer"
    (http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_14/gt_ipspp.htm)
    with DPD but this is not an option because
    we want to use manual keying.

    Also configuring multiple peers in a crypto map is not
    possible with manual keying.

    Here comes my question: is it possible to "bind"
    the IPSEC endpoint to a specific IP address (i.e. a
    loopback interface address on the CISCO2820) so that
    packets always flowing from/to this address only?

    Cheers,
    DBM

    PS: Here is the network topology map...

    +- - - - +
    |HQ-Cloud|
    +- -+- - +
    HQ |
    ----------+----------+--------+----------
    fa0/0 | 1.2.3.1/24 | fa0/0
    +----+----+ +----+----+
    |CISCO2820| |CISCO2650|
    | VPN SEC | | NON VPN |
    +----+----+ +----+----+
    fa0/1 \ 1.2.4.1/24 /
    (1) \ / (2)
    \ /
    I N T E R N E T
    /
    /
    \ (3)
    \ 1.2.5.1/24
    +----+---+
    |CISCO836|
    +---+----+
    | REMOTE BRANCH
    -------+-------
    |
    +- -+- -+
    |Branch |
    | Cloud |
    +- - - -+
     
    dbmasterguru, May 7, 2005
    #1
    1. Advertisements

  2. dbmasterguru

    dbmasterguru Guest

    I will answer my question myself :)

    Please give

    crypto map <NAME_OF_CRYPTO_MAP> local-address <INTERFACE_NAME>

    a try.

    Cheers,
    DBM
     
    dbmasterguru, May 9, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.