[c-nsp] Problem w/ outgoing IP on IPSEC tunnels

Garry Glendown gkg at gmx.de
Tue Sep 20 17:54:04 EDT 2005


lee.e.rian at census.gov wrote:
>>is there a way to force a router to use a certain IP
>>independently from the exterior interface used for routing the packets???
> 
> 
> Using the address of the loopback interface works.  Is that what you're
> looking for?

tried it, still used the other interface's IP!? (running 12.4(1) btw.)
What might I be missing here?

crypto keyring CARGO
  pre-shared-key address x.x.x.x key XYZ
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp profile CARGO
   vrf CARGO
   keyring CARGO
   self-identity address
   match identity address x.x.x.x 255.255.255.255
   keepalive 60 retry 5
   local-address GigabitEthernet0/0
!
crypto ipsec transform-set 3des-set esp-3des esp-sha-hmac
crypto ipsec transform-set des-set esp-des esp-sha-hmac
crypto ipsec transform-set aes-set esp-aes esp-sha-hmac
crypto ipsec transform-set aes256-set esp-aes 256 esp-sha-hmac
!
crypto map IPSECVPN local-address GigabitEthernet0/0
crypto map IPSECVPN isakmp-profile CARGO
crypto map IPSECVPN 44631 ipsec-isakmp
 set peer x.x.x.x
 set transform-set 3des-set aes256-set aes-set
 set pfs group2
 set isakmp-profile CARGO
 match address BTG


All the interfaces (LAN and WAN) have the crypto map attached.

Any ideas?

Tnx, -gg


More information about the cisco-nsp mailing list