Crypto map applied on loopback interface


The folowing problem has already been touched here several times, but suggested solutions can not be applied to my case.

I need to provide each group of Cisco VPN users separate ip address for termination the ipsec sessions. I plan to dedicate each of the a separate loopback interface with dedicated crypto map applied.

I made initial tests, and what I see is that the ipsec session is established, but except the loopback IP addres (which is ipsec tunnel endpoint) I can not ping any interface on the same router.

I susspect, that the problem is with the routing definition. The remote session instals only the route to remote VPN client but does not say anything that the traffic should be send via ipsec tunnel (so it goes thru phisical interface using global routing policies)

When I force the local traffic to go thru the ipsec tunnel, I received an answer.

route-map MYTEST permit 10 set interface Loopback0

ip local policy route-map MYTEST

So my susspecion were correct. Problem is that I plan to use lot of loopbacks and each group of VPN cliens is to be terminated within different VRF, so the temporary solution with route-map is not a good solution.

Do you have any idea:

  1. Why it works (or rather does not work) that way
  2. Is is a bug or my misconfiguration, because if I can apply the crypto map on interface, it should work without any problem.

I can not use crypto "map primary-map local-address loopback0" as somewhere suggested, because I am using dynamic crypto map, and they all reference to one silngle static crypto map which is now aplied to single internet facing interface.

TIA Sebastian

Reply to
Loading thread data ... Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.