Vincent C Jones
07-25-2004, 01:42 AM
Jim,
IPsec between loopback interfaces works as long as you are not also
doing NAT. For example, see "Configuring IPSec Redundancy over ISDN
Using Dialer Watch" on www.cisco.com.
Last time I checked, Cisco did not support IPsec through NAT, so if
you have configured NAT on the router, you will probably have to use
the outside interface for your VPN endpoints.
Good luck and have fun!
--
Vincent C Jones, Consultant Expert advice and a helping hand
Networking Unlimited, Inc. for those who want to manage and
Tenafly, NJ Phone: 201 568-7810 control their networking destiny
http://www.networkingunlimited.com
In article <7a475dae.0403040438.2e4eaef0@posting.google.com>,
Jim <gadget@easypath.com> wrote:
>Thanks Vincent,
>
> I tried setting the crypto map and set the peers for the ethernet
>interface in the beginning. When that didn't work I moved them to a
>loopback interface. Still no crypto. It wasn't until I moved them to
>the external interface that crypto came up.
> Not having a deep intimate understanding of packet flow in a cisco
>router, and being unable to find any config that utilized crypto on
>the internal interface, I assumed it couldn't be done. That's how I
>ended up with the dual serial interface problem. Of course, I've been
>unable to find a config running IPsec on dual serial interfaces as
>well.
> I'm not supposed to use the shadow circuit at either of my locations
>unless the primary is down, so the move to A1-B1 in the case of a
>single failure is technically improper. Not that Worldcom would care,
>and I'm sure I could get away with it, but it makes me wonder what the
>"perfect" solution would be.
> Guess I wonder too much, but I am having fun!
>
>Jim
>
>
>
>
>vcjones@X23.networkingunlimited.com (Vincent C Jones) wrote in message news:<c26968$lfq$1@X23.networkingunlimited.com>...
>>
>> You're making it more difficult than it needs to be. Why not let BGP
>> do its thing and set up a single IPSec between loopback addresses or
>> an inside interface on each router. That way, if a link goes down,
>> BGP will automatically route around the problem and the IPSec does
>> not have to deal with it?
>>
>> Alternatively, if you feel you must terminate the IPSec on the external
>> IP address, consider just setting up A0-B0 and A1-B1. The other two
>> combinations are inordinately difficult and provide no benefit in
>> the most common scenario of a single failure. (They only help if you
>> have a double failure which affects exactly A0 & B1 or A1 & B0 and
>> nothing else.) Don't forget that with this approach you also need
>> another layer of routing protocol to detect tunnel failure.
IPsec between loopback interfaces works as long as you are not also
doing NAT. For example, see "Configuring IPSec Redundancy over ISDN
Using Dialer Watch" on www.cisco.com.
Last time I checked, Cisco did not support IPsec through NAT, so if
you have configured NAT on the router, you will probably have to use
the outside interface for your VPN endpoints.
Good luck and have fun!
--
Vincent C Jones, Consultant Expert advice and a helping hand
Networking Unlimited, Inc. for those who want to manage and
Tenafly, NJ Phone: 201 568-7810 control their networking destiny
http://www.networkingunlimited.com
In article <7a475dae.0403040438.2e4eaef0@posting.google.com>,
Jim <gadget@easypath.com> wrote:
>Thanks Vincent,
>
> I tried setting the crypto map and set the peers for the ethernet
>interface in the beginning. When that didn't work I moved them to a
>loopback interface. Still no crypto. It wasn't until I moved them to
>the external interface that crypto came up.
> Not having a deep intimate understanding of packet flow in a cisco
>router, and being unable to find any config that utilized crypto on
>the internal interface, I assumed it couldn't be done. That's how I
>ended up with the dual serial interface problem. Of course, I've been
>unable to find a config running IPsec on dual serial interfaces as
>well.
> I'm not supposed to use the shadow circuit at either of my locations
>unless the primary is down, so the move to A1-B1 in the case of a
>single failure is technically improper. Not that Worldcom would care,
>and I'm sure I could get away with it, but it makes me wonder what the
>"perfect" solution would be.
> Guess I wonder too much, but I am having fun!
>
>Jim
>
>
>
>
>vcjones@X23.networkingunlimited.com (Vincent C Jones) wrote in message news:<c26968$lfq$1@X23.networkingunlimited.com>...
>>
>> You're making it more difficult than it needs to be. Why not let BGP
>> do its thing and set up a single IPSec between loopback addresses or
>> an inside interface on each router. That way, if a link goes down,
>> BGP will automatically route around the problem and the IPSec does
>> not have to deal with it?
>>
>> Alternatively, if you feel you must terminate the IPSec on the external
>> IP address, consider just setting up A0-B0 and A1-B1. The other two
>> combinations are inordinately difficult and provide no benefit in
>> the most common scenario of a single failure. (They only help if you
>> have a double failure which affects exactly A0 & B1 or A1 & B0 and
>> nothing else.) Don't forget that with this approach you also need
>> another layer of routing protocol to detect tunnel failure.