[c-nsp] IP sec tunnel , two IPs same interface

Ashe Canvar acanvar at gmail.com
Fri Aug 19 11:31:47 EDT 2005 

Thanks all you guys . Here is the exact config :

!
interface Tunnel41
 description tunnel to vpnrt2.nyc
 ip address 10.17.1.17 255.255.255.252
 ip mtu 1420
 ip tcp adjust-mss 1300
 ip ospf cost 15000
 ip ospf hello-interval 2
 tunnel source AAA.AAAA.209.250
 tunnel destination BBB.BBB.217.250
 tunnel path-mtu-discovery
 crypto map VPN
!
interface FastEthernet0/0.100
 description tunnel endpoint
 encapsulation isl 100
 ip address AAA.BBB.209.250 255.255.255.0 secondary
 ip address YYY.XXX.158.4 255.255.255.128
 no ip redirects
 no ip proxy-arp
 no snmp trap link-status
 crypto map VPN
!

So the problem is that even though the " tunnel source
AAA.AAAA.209.250" command is enabled on the tunnel41 interface, it
picks up the "YYY.XXX.158.4" ip to initiate isakmp. This is not what I
want because I PBR the AAA.AAAA.209.250 IP and want the tunnel to take
that specific path.

vpnrt1.sjc#sho crypto isakmp sa 
...
BBB.BBB.217.250 XXX.YYY.158.4    MM_KEY_EXCH       3807    0
...

Here are my responses to the suggestions so far:

1. You can't terminate Tunnels on loopback interfaces because the
crypto map has to be applied to the incoming interface ( have tried
that ).

2. Both IPs are in the same VLAN ( limitation of the architecture) so
making 2 dot1q sub interfaces in different vlans is not fesiable.

However, Can i have 2 sub-interfaces in the same dot1q or isl vlan ?

3. Derek, it would be awesome if you could dig up the global command.
But still the issue is that i want to terminate some tunnels on
AAA.BBB.209.250 and others on  YYY.XXX.158.4.


Thanks again,
Regards,
-ansh



On 8/19/05, Antonio Querubin <tony at aloha.net> wrote:
> On Thu, 18 Aug 2005, Ashe Canvar wrote:
> 
> > I need to terminate an GRE/IPsec tunnel on a router with only 2
> > ethernet interfaces. The inside interface has rfc1918 address and the
> > external interface has a routable IP. The problem is that I want to
> > add a second IP to this interface to terminate a different tunnel
> > (this IP is from a different ISP).
> >
> > I have tried doing a secondary IP on the same interface but this does
> > not work. "sho cry isakamp sa" always shows the connection attempt
> > being made from the primary ip.
> >
> > Any way around this ? Can i make two sub interfaces be in th same vlan
> > and terminate the VPN on these instead of using the secondary ips ?
> 
> Have you considered using multiple loopback interfaces for the tunnel
> endpoint?
>

More information about the cisco-nsp mailing list