#

Tuesday, October 8, 2019

Loopbacks Sourced IPSec VPN Config with Crypto Maps on Cisco IOS

This post is an extension to the previous post I wrote on IPSec Site-to-Site VPN Configuration with Crypto Maps on Cisco IOS and this time we are using Loopback IPs to form the IPSec tunnel. So please refer the detailed step by step explanation of the commands I entered in it. Most of the commands in that post will be used here but only the special commands will be discussed.

Following image shows a high level overview of how this is working.








As you can see, Crypto Maps will always be applied to the physical interface though IPSec peers are configured to base on Loopbacks (logical interfaces).

Actual setup we use is like the following..














This is almost the same topology used in my previous post I mentioned above. Additionally gateways for user LANs are configured as 11.11.11.254 on R1 and 33.33.33.254 on R3 to test the data traffic.

So the configuration on R1 will be like the following..

R1(config)#crypto isakmp policy 1
R1(config-isakmp)#hash sha                 
R1(config-isakmp)#authentication pre-share 
R1(config-isakmp)#group 2                  
R1(config-isakmp)#lifetime 60              
R1(config-isakmp)#encryption aes 

 R1(config)#crypto isakmp key PASSWORD address 3.3.3.3

 R1(config)#crypto ipsec transform-set TRANSFORMSET esp-aes esp-sha-hmac

 R1(config)#ip access-list extended 150
R1(config-ext-nacl)#permit ip 11.11.11.0 0.0.0.255 33.33.33.0 0.0.0.255

 R1(config-crypto-map)#crypto map CRYPTOMAP 10 ipsec-isakmp 
R1(config-crypto-map)#match address 150                    
R1(config-crypto-map)#set transform-set TRANSFORMSET       
R1(config-crypto-map)#set peer 3.3.3.3

 R1(config)#crypto map CRYPTOMAP local-address Loopback0

R1(config-crypto-map)#int e0/0
R1(config-if)#crypto map CRYPTOMAP

 R1(config)#ip route 192.168.23.0 255.255.255.0 192.168.12.2
R1(config)#ip route 33.33.33.0 255.255.255.255 192.168.23.3
R1(config)#ip route 3.3.3.0 255.255.255.0 192.168.23.3

Configuration on R3 will be like the following..

R3(config)#crypto isakmp policy 1
R3(config-isakmp)#hash sha
R3(config-isakmp)#authentication pre-share 
R3(config-isakmp)#group 2
R3(config-isakmp)#lifetime 60
R3(config-isakmp)#encryption aes 

 R3(config)#crypto isakmp key PASSWORD address 1.1.1.1

 R3(config)#crypto ipsec transform-set TRANSFORMSET esp-aes esp-sha-hmac 

 R3(config)#ip access-list extended 150
R3(config-ext-nacl)#permit ip 33.33.33.0 0.0.0.255 11.11.11.0 0.0.0.255

 R3(config)#crypto map CRYPTOMAP 10 ipsec-isakmp 
R3(config-crypto-map)#match address 150
R3(config-crypto-map)#set transform-set TRANSFORMSET
R3(config-crypto-map)#set peer 1.1.1.1

R3(config)#crypto map CRYPTOMAP local-address Loopback0

 R3(config-crypto-map)#int e0/0
R3(config-if)#crypto map CRYPTOMAP

 R3(config)#ip route 192.168.12.0 255.255.255.0 192.168.23.2
R3(config)#ip route 1.1.1.1 255.255.255.255 192.168.12.1
R3(config)#ip route 11.11.11.0 255.255.255.255 192.168.12.1

For this topology, we need to configure routing in R2 for the loopbacks because the packet has the source and destination IP addresses to match the peer IP addresses (loopbacks) of the tunnel.

R2(config)#ip route 1.1.1.0 255.255.255.0 192.168.12.1
R2(config)#ip route 3.3.3.0 255.255.255.0 192.168.23.3

Following show commands verify the implementation.




by at
Tags ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)