![]() ![]() ![]() "Finally, you will have to exempt the protected traffic from NAT on the loopback" If possible I'd like to solve this rather than rebuilding management. This problem does not occur I'm if using in-band management IP on a normal interface instead of using management on loopback interface. Ip route 192.168.0.0 255.255.248.0 Loopback99 Firewall policy is allowing traffic to and from loopback interface. But if you really remove this command, the ping won't work" In that case, Ethernet uses the loopback as a gateway to reach the subnet in question. So, we need to reach the remote protected subnet in order to virtually forward traffic through the Ethernet interface. "Again, the loopback is not a physical interface. Why I said that? Because if you issue debug crypto ipsec, you will notice that the other peer will try to negotiate the tunnel with the 42.x.x.x on ethernet0.156 and it will tells you invalid local address." Without it, the router will think that the endpoint address is the physical interface and the tunnel will never negotiate since the public IP is not defined in the physical interface. Loopback interfaces are always up and reachable and are used, for example. To accomplish this, the following command is important to instruct the router to treat the loopback address as the VPN endpoint. Itcan be generated inside the firewall and does not require a physical interface. "Because the public IP is defined in the loopback interface, it must be our VPN endpoint. Why I said that? Because if I remove the map off one of them, the tunnel won't negotiate" Applying the map on both of them is crucial. It's the job of the physical interface, which is the ethernet in my case because it's the actual WAN interface. Since the loopback is a virtual interface, it cannot negotiate the tunnel. config system interface edit 'VPN-BGP' set vdom 'root' set ip 10.20.16.4 255.255.255.255 set allowaccess ping https http set type tunnel set remote-ip 10.20.16.1 255.255.255.255 set role lan set snmp-index 4 set interface 'wan1' next end Running debugs. "Apply crypto map on both the loopback interface and the Ethernet sub-interface. set type loopback set role lan set snmp-index 15 next end Tunnel Interface configuration. Please feel free to correct me if I am wrong. I am not going to mention other config such as IKE/IPSec proposals, IPSec transform sets, interesting traffic ACL.,etc as you already familiar with. Here is the most important config for a loopback to function as VPN tunnel endpoint along with my humble technical explanation according to my understanding so far. I understand parts of the configuration but other parts I could not understand. However, I still don't understand how it completely works. After lots of experiments, I could finally get it to work. I've spent two days figuring out how can I use the loopback interface as the tunnel endpoint. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |