[c-nsp] Crypto map applied on loopback interface

BoXeR piestaga at aster.pl
Fri Apr 15 17:29:49 EDT 2005


Hi,

I need to provide each group of Cisco VPN users separate ip address
for termination the ipsec sessions. I plan to dedicate each of the
a separate loopback interface with dedicated crypto map applied.

I made initial tests, and what I see is that the ipsec session is
established, but except the loopback IP addres (which is ipsec tunnel
endpoint) I can not ping any interface on the same router.

I susspect, that the problem is with the routing definition.
The remote session instals only the route to remote VPN client but
does not say anything that the traffic should be send via ipsec tunnel
(so it goes thru phisical interface using global routing policies)

When I force the local traffic to go thru the ipsec tunnel, I received
an answer.

route-map MYTEST permit 10
  set interface Loopback0

ip local policy route-map MYTEST

So my susspecion were correct.
Problem is that I plan to use lot of loopbacks and each group of VPN
cliens is to be terminated within  different VRF, so the temporary
solution with route-map is not a good solution.

Do you have any idea:
1. Why it works (or rather does not work) that way
2. Is is a bug or my misconfiguration, because if I can apply the
crypto map on interface, it should work without any problem.


TIA
Sebastian



More information about the cisco-nsp mailing list