[c-nsp] Problem w/ outgoing IP on IPSEC tunnels
Garry Glendown
gkg at gmx.de
Tue Sep 20 17:54:04 EDT 2005
lee.e.rian at census.gov wrote:
>>is there a way to force a router to use a certain IP
>>independently from the exterior interface used for routing the packets???
>
>
> Using the address of the loopback interface works. Is that what you're
> looking for?
tried it, still used the other interface's IP!? (running 12.4(1) btw.)
What might I be missing here?
crypto keyring CARGO
pre-shared-key address x.x.x.x key XYZ
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp profile CARGO
vrf CARGO
keyring CARGO
self-identity address
match identity address x.x.x.x 255.255.255.255
keepalive 60 retry 5
local-address GigabitEthernet0/0
!
crypto ipsec transform-set 3des-set esp-3des esp-sha-hmac
crypto ipsec transform-set des-set esp-des esp-sha-hmac
crypto ipsec transform-set aes-set esp-aes esp-sha-hmac
crypto ipsec transform-set aes256-set esp-aes 256 esp-sha-hmac
!
crypto map IPSECVPN local-address GigabitEthernet0/0
crypto map IPSECVPN isakmp-profile CARGO
crypto map IPSECVPN 44631 ipsec-isakmp
set peer x.x.x.x
set transform-set 3des-set aes256-set aes-set
set pfs group2
set isakmp-profile CARGO
match address BTG
All the interfaces (LAN and WAN) have the crypto map attached.
Any ideas?
Tnx, -gg
More information about the cisco-nsp
mailing list