Crypto Map on Loopback interface or Physical Interface

Similar Messages

• DMVPN using loopback interface vs. physical interface

  In a DMVPN,what´s the difference between using a loopback interface as a tunnel source instead of a physical interface?

  It will work for a static one to one nat. PAT doesnt play well with GRE because ports dont exist in GRE (not sure if NAT traversal can help here like it does with ISAKMP - it works on spokes) You also need to make sure that the loopback is set to work with the crypto profile.  Joe is right, the address it terminates on is best to be Public address space that you own, that is multihomed - if this is a hub.

• 1 policy-map for more than 1 physical interface

  Hi,
  the situation I want to achieve is, that 2 physical interfaces (here 2 TP GigbitEthernet Ports of a 3750) are limited together from one 'service-policy'/'policy-map'.
  In the example below I have 2 Ports on one switch and the traffic coming in on both ports in total (traffic port #1 + traffic port #2) should be limited to the 'policy-map 5MBits'.
  Right now I have configured a 3750 with:
  class-map match-all EveryMAC
  match access-group name everythingL2
  policy-map 5MBits
  class EveryMAC
  police 5000000 32768 exceed-action drop
  policy-map TEST
  class EveryMAC
  set dscp default
  mac access-list extended everythingL2
  permit any any
  interface GigabitEthernet1/0/1
  description port #1
  switchport access vlan 123
  switchport mode access
  speed 10
  duplex auto
  interface GigabitEthernet1/0/2
  description port #2
  switchport access vlan 123
  switchport mode access
  speed 10
  duplex auto
  interface Vlan123
  service-policy input TEST
  And at the 'other side' a 2950 works with the following config:
  class-map match-all EveryMAC
  match access-group name everythingL2
  policy-map 5MBits
  class EveryMAC
  police 5000000 32768 exceed-action drop
  mac access-list extended everythingL2
  permit any any
  interface FastEthernet0/1
  description port #A
  switchport access vlan 123
  switchport mode access
  speed 10
  duplex auto
  As far as I can see this seems to work. But it would be nice if someone can confirm this or provide an other suggestion.
  thanks in advance
  Mark

  Only thing i can think of is instead of using a MAC ACL , u cud jus use the default class
  Policy Map Test
  class class-default
  police 56000 8000 exceed-action drop
  Class Map match-any class-default (id 0)
  Match any
  You would be saving a MAC-ACL ;-).

• Rejecting IPSec tunnel: no matching crypto map entry for remote proxy on interface outside.

  Hi,
  I have read a problem where the VPN between an ISP and ourselves started dropping sessions. I have rebuilt the crypto map and tried to dig deeper into my config and some basic troubleshooting while I await the ISP to respond.
  Any ideas?
  Thanks Steve
  https://supportforums.cisco.com/thread/255085
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution10
  5 Jun 13 15:46:25 713904 IP = 209.183.xxx.xxx, Received encrypted packet with no matching SA, dropping
  4 Jun 13 15:46:25 113019 Group = 209.183.xxx.xxx, Username = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
  3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Removing peer from correlator table failed, no match!
  3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, QM FSM error (P2 struct &0xda90f540, mess id 0x76c09eb7)!
  3 Jun 13 15:46:25 713061 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.0/255.255.240.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
  5 Jun 13 15:46:25 713119 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, PHASE 1 COMPLETED
  6 Jun 13 15:46:25 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = 209.183.xxx.xxx
  6 Jun 13 15:46:25 713172 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

  Are you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
  If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
  access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
  Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
  nat (outside) 1 172.16.0.0 255.255.240.0

• The difference between IEEE802.1Q Native VLAN sub-interface and Physical interface?

  Hello
  I think the following topologies are supported for Cisco Routers
  And the Physical interface also can be using as Native VLAN interface right? 
  Topology 1.
   R1 Gi0.1 ------ IEEE802.1Q Tunneling  L2SW ------ Gi0 R2
  R1 - configuration
  interface GigabitEthernet0.1
   encapsulation dot1Q 1 native
   ip address 10.0.0.1 255.255.255.0
  Topology 2.
  R1 Gi0 ------ IEEE802.1Q Tunneling L2SW ------ Gi0 R2
  interface GigabitEthernet0
  ip address 10.0.0.1 255.255.255.0
   And is it ok to use the physical interface and sub-interface with dynamic routing such as EIGRP or OSPF etc?
  R1 Gi 0 ---- Point to Multipoint EIGRP or OSPF ---- Gi0 R2 / R3 
        Gi 0.20--- Point to Point EIGRP or OSPF --- Gi0.10 R4  (same VLAN-ID) 
  R1 - configuration
  interface GigabitEthernet0
   ip address 10.0.0.1 255.255.255.0
  interface GigabitEthernet8.20
   encapsulation dot1Q 20
   ip address 20.0.0.1 255.255.255.0
  Any information is very appreciated. but if there is any CCO document please let me know.
  Thank you very much and regards,
  Masanobu Hiyoshi

  Hello,
  The diagram is helpful.
  If I am getting you correctly, you have three routers interconnected by a switch, and you want them to operate in a hub-and-spoke fashion even though the switch is capable of allowing direct communication between any of these routers.
  Your first scenario is concerned with all three routers being in the same VLAN, and by using neighbor commands, you force these routers to establish targeted EIGRP adjacencies R1-R2 and R1-R3, with R1 being the hub.
  Your second scenario is concerned with creating one VLAN per spoke, having subinterfaces for each spoke VLAN created on R1 as the router, and putting each spoke just in its own VLAN.
  Your scenarios are not really concerned with the concept of native VLAN or the way it is configured, to be honest. Whether you use a native VLAN in either of your scenarios, or whether you configure the native VLAN on a subinterface or on the physical interface makes no difference. There is simply no difference to using or not using a native VLAN in any of your scenarios, and there is no difference to the native VLAN configuration being placed on a physical interface or a subinterface. It's as plain as that. Both your scenarios will work.
  My personal opinion, though, is that forcing routers on a broadcast multi-access segment such as Ethernet to operate in a hub-and-spoke fashion is somewhat artificial. Why would you want to do this? Both scenarios have drawbacks: in the first scenario, you need to add a neighbor statement for each spoke to the hub, limiting the scalability. In the second scenario, you waste VLANs and IP subnets if there are many spokes. The primary question is, though: why would you want an Ethernet segment to operate as a hub-and-spoke network? Sure, these things are done but they are motivated by specific needs so I would like to know if you have any.
  Even if you needed your network to operate in a hub-and-spoke mode, there are more efficient means of achieving that: Cisco switches support so-called protected ports that are prevented from talking to each other. By configuring the switch ports to spokes as protected, you will prevent the spokes from seeing each other. You would not need, then, to configure static neighbors in EIGRP, or to waste VLANs for individual spokes. What you would need to do would be deactivating the split horizon on R1's interface, and using the ip next-hop-self eigrp command on R1 to tweak the next hop information to point to R1 so that the spokes do not attempt to route packets to each other directly but rather route them over R1.
  I do not believe I have seen any special CCO documents regarding the use of physical interfaces or subinterfaces for native VLAN or for your scenarios.
  Best regards,
  Peter

• Virtual interface or physical interface

  Hi All,
  Need your help select IPSce config in following environment
  We are working in Joint venture. Two different companies are working under one banner. But one company's computers requires services from other company's server.
  We are thinking to make site to site connection along with IPSec. Both sites have static public IP's.
  Configuring Virtual Tunnel interface OR
  Configuring Physical Interface OR
  GRE Point to Point

  Hi Omer,
  I would prefer VTI on GRE over IPSec . Although IPsec provides a secure method for tunneling data across an IP network, it has limitations. IPsec does not support IP broadcast or IP multicast, preventing the use of protocols that rely on these features, such as routing protocols. IPsec also does not support the use of multiprotocol traffic.
  GRE is a protocol that can be used to “carry” other passenger protocols, such as IP broadcast or IP multicast, as well as non-IP protocols. 
  Vitual Tunnel Interfaces you can set them up with a profile that uses IPsec for transport and so the interface tu0 is treated like a usual IP interface that can also handle routing protocols.
  However, different tunnel mode can apply different application. Here are some considerations for IPSec VTI. The IPsec VTI is limited to IP unicast and multicast traffic only, as opposed to GRE tunnels, which have a wider application for IPsec implementation. Thus, for some non-IP traffic, we still need IPSec over GRE.
  Header related overhead is about same, However VTI is less CPU intensive. Well also matter what platfrom is part of solution.
  Br.
  Mohseen 

• Tunnel interface to physical interface

  Hi All,
  I was wondering if it is possible to build a site to site vpn connection one side using tunnel interface and the other end using a physical interface.
  My plan is to use a 3945 router, build multiple tunnel interfaces on the router to connect 50 clients. By using tunnel interface on the router i could leverage on the vrf feature to isolate clients  but if i use tunnel interface on my end  i am not certain if the tunnel will come up if my client is using 1) ASA 2) PIX 3) vpn concentrator - which doesnt support tunnel interface.
  Thanks for your help in advance.
  Lou

  Mark Mattix wrote:I did some reading on EIGRP and is it correct that the EIGRP Header and Payload (TLV) are encapsulated in an IP packet and addressed to the address, 224.0.0.10? Is this the reason why multicast traffic must be encapsulated first in GRE to travel over the internet? Olivier Pelerin> This is correct
  When I set up a site to site VPN using GRE tunnels and an IPSec config on the interfaces would this be considered, IPSec over GRE, or GRE over IPSec? I don't understand that difference.
  Olivier Pelerin> See the diagram below - this explain GRE over IPSEC. That's a diagram I did here for a training
  On the example packet I posted above, is the public address that's routed over the internet part of the IPSec packet/suite? I guess a better question is, what portions of the packet make up IPSec and which portion is just regular IPv4 addressing?
  Olivier Pelerin> the diagram below should answer that
  I've been wrong in thinking that GRE and IPSec go hand in hand when infact it's possible to only use IPSec and no type of tunnel. If IPSec is set up on the interfaces and the tunnels are configured at both end points, what does your information first get encapsulated by, GRE or IPSec? In your example packet format Olpeleri, is looks like the IP packet is first encapsulated in GRE then encapsulated by IPSec. Is this correct? If so when information leaves our LAN and heads to the internet, does it first go through the tunnel to be encapsulated by GRE then out the physical link that adds the IPSec encapsulation?
  Olivier Pelerin> Correct. GRE first then encryption
  Sorry for all these questions, I'm just trying to learn how this works! Thanks again for the help!
  [red = encrypted]

• Can I enter crypto map command on an ethernet interface(LAN)

  Hi Friends,
  I am establishing VPN tunnel through Internet. I have the public address configured on Ethernet interface of router connecting the LAN. Can I bind the crypto map command to this inside interface and establish the VPN connectivity from this interface. Please help me providing the knowledge.

  your crypto map must be bound to outside interface.
  but you can chose which ip to use
  http://www.cisco.com/en/US/docs/ios/mwpdsn/command/reference/mwp_02.html#wp1014299
  [Pls RATE if HELPS]

• One crypto map, different tunnel source addresses (secondary)

  Hi,
  I have two devices with two different (public) IP addresses (Cisco 2811 and Cisco 851), which both host some IPSec tunnels (IPSec/ESP/Tunnel mode). I want to move the 851's configuration to the 2811, and remove the 851 from the network. There is a crypto map assigned to the main outside interface of the 2811 with a few entries. The problem is that I cannot change any of the tunnel TEPs, so the IP address of the 851 must be moved onto the 2811 (as a secondary address). Is there anything I can do to use the secondary address as an IPSec tunnel source? Or do I have to do it using NAT and loopback interfaces?

  Source IP addresses for IKE for exchanges leaving out of the same physical interface, ie:
  crypto map to-peer_a 10 ipsec-isakmp
  set peer 10.1.3.1
  set local-address loopback1 <-- new command
  match address 100
  crypto map to-peer_a 20 ipsec-isakmp
  set peer 10.1.3.2
  set local-address loopback2 <-- new command
  match address 101
  Current code allows to specify a local-address for each crypto map only, and not on a per crypto map instance, as suggested above.

• Crypto map removing itself after reload

  Hello,
  I just set up my site tot site vpn with a pix box and a cisco 3745.
  The pix box is fine but the 3745 when ever I reload it the crypto map is not applied to the interface after the reload.

  Hello,
  I did issue a write memory.
  sh ver
  Cisco IOS Software, 3700 Software (C3745-ADVENTERPRISEK9-M), Version 12.4(25), R                                                                             ELEASE SOFTWARE (fc2)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2009 by Cisco Systems, Inc.
  Compiled Tue 21-Apr-09 14:41 by prod_rel_team
  ROM: System Bootstrap, Version 12.2(8r)T2, RELEASE SOFTWARE (fc1)
  FIBERJGX-3745-01 uptime is 3 hours, 49 minutes
  System returned to ROM by reload at 01:32:53 UTC Fri Jul 5 2013
  System restarted at 01:34:09 UTC Fri Jul 5 2013
  System image file is "slot0:c3745-adventerprisek9-mz.124-25.bin"
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected]
  Cisco 3745 (R7000) processor (revision 2.0) with 243712K/18432K bytes of memory.
  Processor board ID JMX0837L5AU
  R7000 CPU at 350MHz, Implementation 39, Rev 3.3, 256KB L2, 2048KB L3 Cache
  2 FastEthernet interfaces
  DRAM configuration is 64 bits wide with parity disabled.
  151K bytes of NVRAM.
  31360K bytes of ATA System CompactFlash (Read/Write)
  125952K bytes of ATA Slot0 CompactFlash (Read/Write)
  Configuration register is 0x2102

• Crypto map has incomplete entries message

  I'm working on building a configuration on a 5540 running 9.1.2 for L2L VPN.  When I reload the device, I get this message:
  .WARNING: crypto map has incomplete entries
  *** Output from config line 10665, "crypto map L2LVPN interf..."
  I seems it's giving me the error on the line where the crypto map is assigned to the outside interface.  Unfortunately this message really is not very helpful.  I do not have this in production yet. Is there any way I can find out where my problem may be?
  Thanks.
  Jason

  Hi,
  This usually indicates that one L2L VPN connection Crypto Map configuration is missing some essential parameter to make it complete.
  So issue the command
  show run crypto map
  Then make sure that the following lines exists
  crypto map match address
  crypto map set peer
  crypto map set ikev1 transform-set
  If any of the 3 things mentioned above are missing then the crypto map configuration is deemed incomplete and doesnt have the information needed for that L2L VPN to function.
  Atleast this is what it seems to me.
  Hope it helps
  - Jouni

• Dialler interface and Isdn interface

  Can someone tell me the difference
  When bringing up an isdn interface, Am I correct in saying it has to raise the line by calling the isdn number, If so whats the difference between this and a dialler interface ?
  thanks
  Carl

  Hi Carl,
  A dialer interface is a parent interface that holds central protocol characteristics for ISDN D channels, which are part of specified dialer rotary groups. Data packets are delivered to dialer interfaces, which in turn initiate dialing for inbound calls. In most cases, D channels get their core protocol intelligence from dialer interfaces.
  A dialer interface is user configurable and linked to individual B channels (such as S0:0, S0:1, S0:2), where it delivers data packets to their physical destinations. Dialer interfaces seize physical interfaces to cause packet delivery.
  ISDN BRI delivers a total bandwidth of a 144-kbps via three separate channels. Two of the channels, called B (Bearer) channels, operate at 64 kbps and are used to carry voice, video, or data traffic. The third channel, the D (Data) channel, is a 16-kbps signaling channel used to carry instructions which tells the telephone network how to handle each of the B channels. ISDN BRI is often referred to as "2 B+D."
  A D channel notifies the central office switch to send the incoming call to particular timeslots on the router. Each one of the bearer or B channels carries data or voice. The D channel carries signaling for the B channels. The D channel also identifies if the call is a digital call or analog call. Analog calls are decoded and then get sent off to the modems. Digital calls are directly relayed off to the ISDN processor in the router.
  HTH,
  -amit singh

• Multiple Crypto Maps on Single Outside Interface

  Hi, I had the following crypto map configured on my ASA5505 to allow Cisco IPSec VPN clients to connect from the outside:
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  I'm trying now to set up an additional crypto map - a static configuration to establish a tunnel with Windows Azure services. The configuration they gave me is:
  crypto map azure-crypto-map 10 match address azure-vpn-acl
  crypto map azure-crypto-map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
  crypto map azure-crypto-map 10 set transform-set azure-ipsec-proposal-set
  crypto map azure-crypto-map interface outside
  However, when I apply that configuration, my Cisco IPSec clients can no longer connect. I believe my problem is that last line:
  crypto map azure-crypto-map interface outside
  which blows away my original line:
  crypto map outside_map interface outside
  It seems I'm stuck with picking just one of the maps to apply to the outside interface. Is there a way to apply both of these maps to the outside interface to allow both IPSec tunnels to be created? We're running ASA version 8.4(7)3.

  Hi,
  You can use the same "crypto map"
  Just add
  crypto map outside_map 10 match address azure-vpn-acl
  crypto map outside_map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
  crypto map outside_map 10 set transform-set azure-ipsec-proposal-set
  Your dynamic VPN Clients will continue to work just fine as their "crypto map" statements are with the lowest priority/order in the "crypto map" configurations (65535) and the L2L VPN is higher (10)
  And what I mean with the above is that when a L2L VPN connections is formed from the remote end it will naturally match the L2L VPN configurations you have with "crypto map" configurations using the number "10". Then when a VPN Client connects it will naturally not match the number "10" specific configurations and will move to the next entry and will match it (65535)
  If you would happen to configure a new L2L VPN connection then you could give it the number "11" for example and everything would still be fine.
  Hope this helps
  - Jouni

• Which interface does "crypto map vpn" get assigned to?

  I'm setting up a site to site vpn and have been reading some examples, but my 871 uses a vlan so it confuses me a bit. Do I assign the statement crypto map vpn to the vlan1 interface or fe4 which is my WAN side.

  Sander
  If we knew more about your environment we might be able to give better answers. In general the crypto map is assigned to the outbound layer 3 interface. But I can not tell from your description whether fe4 or VLAN 1 is the outbound layer 3 interface. Does fe4 have an IP configured on it? If so then perhaps it is the outbound layer 3 interface and gets the crypto map. Or perhaps VLAN 1 is the outbound layer 3 interface and gets the crypto map.
  If this helps you figure it out that is good. Otherwise perhaps you can provide some clarification of the environment.
  HTH
  Rick
  Sent from Cisco Technical Support iPhone App

• Crypto Map on Tunnel interface

  hi guys, when i trying to apply crypto map on tunnel interface , debug is (
  crypto map is configured on tunnel interface.  Currently only GDOI crypto map is supported on tunnel interface )
  why i can't apply simple crypto map on tunnel interface? anyone knows?
  thanks

  This was proven to break CEF in the past and is a bad design choice by default.
  Newer release do not allow you to configure this.
  If you're curious if it will work for you check releases prior to 15.x.
  M.