Cisco Router – Site to site configuration on a router with 2 BGP interfaces and 1 Loopback interface with External IP.

How to create a Site-to-Site VPN Between a cisco ASA to a Cisco IOS router with 2 BGP interfaces and a Loopback Interface.
I had some days ago a problem. I had a vpn connection but there was no traffic going over this connection.

Below in the diagram how I created this solution and how it works. ( In the diagram are non official used ip address )

I will explain the configuration on the Cisco router 2951 side. Because the Cisco ASA vpn configuration is plain simple ( like most site to site vpn’s ) In the diagram I made a draw of both sides. To make the setup complete.

I start with the setup of the VPN configuration.

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 crypto isakmp key <yourwonderfulkeytosuccess> address <ip address>
 !
 crypto ipsec transform-set transform-asp esp-3des esp-md5-hmac

The crypto map vpn local-address Loopback100 ( refers to the the point that an external IP address is configured on a Loopback interface. )

crypto map vpn local-address Loopback100
 crypto map vpn 1 ipsec-isakmp
 set peer < ip address >
 set transform-set transform-asp
 match address 100
 !
 access-list 100 permit ip < internal ip> < wildcard > <remote location ip> <wildcard>
 

If you don’t add the access-list 100 the configuration will be incomplete! The loopback interface ( you see the Access-group information which aren’t displayed in this blog post )

interface Loopback100
 ip address < ip address > < subnet >
 ip access-group ACL_ACCESS_IN in
 ip access-group ACL_ACCESS_OUT out
 ip nat outside
 ip virtual-reassembly in
 crypto map vpn
 !

The Crypto Map VPN you need to configure also on both BGP interfaces otherwise your vpn configuration won’t get up.

interface GigabitEthernet0/1
 description *** BGP Link 1 to ISP ***
 ip address <ip address> <subnet>
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map vpn
 !
 interface GigabitEthernet0/2
 description *** BGP Link 2 to ISP ***
 ip address <ip address> <subnet>
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map vpn

6 thoughts on “Cisco Router – Site to site configuration on a router with 2 BGP interfaces and 1 Loopback interface with External IP.

    • Thank you for the information. I can’t remember it well but I think we have tested without the crypto map on the loopback but it didn’t work. Because in our configuration the normal network external IP is located on the loopback interface. and not on one of the 2 BGP interfaces. Maybe I have a possibility to test it again soon before we create more VPN connections to this device with this configuration.

      • We used independent address from AS with /32 mask on loopback Interface, and it works fine. 2 WAN interfaces ares connected to 2 ISPs with another public addresses.
        m.

      • Okay nice to hear. So if I understand correctly. you have for example

        External ip address 1
        10.1.1.1/32

        external ip address 2
        10.1.1.2/32

        each on a different Loopback interface ? Or I’m incorrect?

        I’ve like now 10.1.1.1/26 on 1 loopback interface

  1. I have recently configured the same scenario on my production router. I apply crypto on out interfaces and its working fine. I am sure there is no need to apply crypto on loopback interface. However your article is very help full.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s