IOS<->3000 Backup VPN not working?

Unanswered Question
May 15th, 2007

I'm trying to create a VPN tunnel from an IOS router to 2 different 3000 concentrators. The 1st VPN works great, but the 2nd says it's VPN is built, but no traffic is traversing the tunnel when I kill the primary tunnel. I have a feeling it's some routing error somewhere or I need to assign admin distances to the router for floating default routes. My next question is, is this even possible to have 2 tunnels into a network with out creating loops of some kind...? FYI: these VPN3000 boxes are not on the same network, and actually in different countries. Please check out the attached config.

!

hostname prague1811

!

ip cef

!

no ip domain lookup

ip domain name xxxxxxx.com

ip ssh version 2

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key !!@@##xxxxxx!!@@## address xx.xx.130.25 <MainVPN3000>

crypto isakmp key !!@@##xxxxxx!!@@## address xx.xx.27.254 <BackupVPN3000>

!

crypto ipsec transform-set ptvset esp-3des esp-md5-hmac

!

crypto map ptvmap 1 ipsec-isakmp

set peer xx.xx.130.25 <MainVPN3000>

set peer xx.xx.27.254 <BackupVPN3000>

set security-association lifetime seconds 86400

set transform-set ptvset

match address 110

!

interface FastEthernet0

description [ Outside Interface ]

ip address xx.xx.70.129 255.255.255.248

ip access-group XXXX_WAN_Ingress in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map ptvmap

!

interface FastEthernet1

description [ Internal Interface ]

ip address 10.100.52.1 255.255.255.0

ip access-group XXXX_LAN_Ingress in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

!

ip route 0.0.0.0 0.0.0.0 xx.xx.70.134

ip route 10.0.0.0 255.0.0.0 xx.xx.70.134

ip route 10.0.0.0 255.255.0.0 xx.xx.70.134

ip route 10.71.0.0 255.255.0.0 xx.xx.70.134

ip route 10.72.0.0 255.255.0.0 xx.xx.70.134

ip route 10.95.1.0 255.255.255.0 xx.xx.70.134

ip route 10.95.10.0 255.255.255.0 xx.xx.70.134

ip route 10.95.11.0 255.255.255.0 xx.xx.70.134

ip route 10.95.12.0 255.255.255.0 xx.xx.70.134

ip route 10.95.13.0 255.255.255.0 xx.xx.70.134

ip route 10.95.14.0 255.255.255.0 xx.xx.70.134

ip route 10.96.2.0 255.255.255.0 xx.xx.70.134

ip route 10.96.4.0 255.255.252.0 xx.xx.70.134

ip route 10.97.4.0 255.255.255.0 xx.xx.70.134

ip route 10.98.16.0 255.255.255.0 xx.xx.70.134

!

ip nat inside source list 100 interface FastEthernet0 overload

ip nat inside source static tcp 10.100.52.253 26 interface FastEthernet0 25

!

ip access-list extended XXXX_LAN_Ingress

permit ip 10.100.52.0 0.0.0.255 10.0.0.0 0.255.255.255

permit ip 10.100.52.0 0.0.0.255 206.198.0.0 0.0.255.255

permit ip 10.100.52.0 0.0.0.255 host 207.230.27.135

permit tcp host 10.100.52.253 any eq smtp

permit ip host 10.100.52.253 any

deny ip any any

ip access-list extended XXXX_WAN_Ingress

permit icmp any host xx.xx.70.129 echo

permit icmp any host xx.xx.70.129 echo-reply

permit icmp any host xx.xx.70.129 host-unreachable

permit ip host <mainVPN3000> host <This router>

permit ip host <BackupVPN3000> host <This router>

permit tcp any any established

deny ip any any log

!

access-list 100 remark [ ACL for NAT VPN traversal ]

access-list 100 deny ip 10.100.52.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 100 permit ip 10.100.52.0 0.0.0.255 any

access-list 110 remark [ ACL to define VPN interesting traffic ]

access-list 110 permit ip 10.100.52.0 0.0.0.255 10.0.0.0 0.255.255.255

prague1811#sh cry

prague1811#sh crypto isa sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

xx.xx.70.129 <MainVPN3000> QM_IDLE 2090 0 ACTIVE

xx.xx.70.129 <BackupVPN3000> QM_IDLE whatever ACTIVE

IPv6 Crypto ISAKMP SA

Chris Serafin

Security Engineer

[email protected]

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ggilbert Thu, 05/17/2007 - 09:46

Chris,

Here are my questions.

Question 1:

Are you trying to accomplish the scenario if the first concentrator fails then it has to go to the second one?

Question 2:

Are the internal networks on the concentrator the same?

Please look at the URL given below, it might help your scenario

http://cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455ad6.html#wp1058608

Let me know.

Thanks

Gilbert

Actions

This Discussion