Cisco Router – Site to site configuration on a router with 2 BGP interfaces and 1 Loopback interface with External IP.

How to create a Site-to-Site VPN Between a cisco ASA to a Cisco IOS router with 2 BGP interfaces and a Loopback Interface.
I had some days ago a problem. I had a vpn connection but there was no traffic going over this connection.
Below in the diagram how I created this solution and how it works. ( In the diagram are non official used ip address )

I will explain the configuration on the Cisco router 2951 side. Because the Cisco ASA vpn configuration is plain simple ( like most site to site vpn’s ) In the diagram I made a draw of both sides. To make the setup complete.
I start with the setup of the VPN configuration.

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 crypto isakmp key <yourwonderfulkeytosuccess> address <ip address>
 !
 crypto ipsec transform-set transform-asp esp-3des esp-md5-hmac

The crypto map vpn local-address Loopback100 ( refers to the the point that an external IP address is configured on a Loopback interface. )

crypto map vpn local-address Loopback100
 crypto map vpn 1 ipsec-isakmp
 set peer < ip address >
 set transform-set transform-asp
 match address 100
 !
 access-list 100 permit ip < internal ip> < wildcard > <remote location ip> <wildcard>
 

If you don’t add the access-list 100 the configuration will be incomplete! The loopback interface ( you see the Access-group information which aren’t displayed in this blog post )

interface Loopback100
 ip address < ip address > < subnet >
 ip access-group ACL_ACCESS_IN in
 ip access-group ACL_ACCESS_OUT out
 ip nat outside
 ip virtual-reassembly in
 crypto map vpn
 !

The Crypto Map VPN you need to configure also on both BGP interfaces otherwise your vpn configuration won’t get up.

interface GigabitEthernet0/1
 description *** BGP Link 1 to ISP ***
 ip address <ip address> <subnet>
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map vpn
 !
 interface GigabitEthernet0/2
 description *** BGP Link 2 to ISP ***
 ip address <ip address> <subnet>
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map vpn

8 thoughts on “Cisco Router – Site to site configuration on a router with 2 BGP interfaces and 1 Loopback interface with External IP.”

    1. Thank you for the information. I can’t remember it well but I think we have tested without the crypto map on the loopback but it didn’t work. Because in our configuration the normal network external IP is located on the loopback interface. and not on one of the 2 BGP interfaces. Maybe I have a possibility to test it again soon before we create more VPN connections to this device with this configuration.

      1. Michal Gurbski

        We used independent address from AS with /32 mask on loopback Interface, and it works fine. 2 WAN interfaces ares connected to 2 ISPs with another public addresses.
        m.

        1. Okay nice to hear. So if I understand correctly. you have for example
          External ip address 1
          10.1.1.1/32
          external ip address 2
          10.1.1.2/32
          each on a different Loopback interface ? Or I’m incorrect?
          I’ve like now 10.1.1.1/26 on 1 loopback interface

  1. Sajid Pathan

    I have recently configured the same scenario on my production router. I apply crypto on out interfaces and its working fine. I am sure there is no need to apply crypto on loopback interface. However your article is very help full.

  2. Hi, we have the same kind of configuration in our network environment, with crypto on 2 WAN and 1 loopback interface. But now, we realized that the tunnel is not passing 80 and SMTP traffic through it. Can somebody help me with that? Thanks in advance.

    1. You need to add an additional exclusion ACL to the port forwarder to block vpn traffic that will help passing trough the http and smtp

Leave a Reply to Michal GurbskiCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.