VPN on secondary IP

Answered Question
Mar 12th, 2008

we r trying to build a VPN tunnel through a Cisco router. The peer IP is from the IP range that is configured as secondary on the router. Is this possible?

rtr1--rtr2---internet

We have created a VPN on rtr1 and the peer IP is a part of the secondary IP configured on the rtr2

I have this problem too.
0 votes
Correct Answer by Richard Burts about 8 years 9 months ago

Sai

Thanks for helping me to understand the situation better. If the VPN will be between a client somewhere in the Internet and rtr1 using 1.1.1.1 as the VPN peer address. And 1.1.1.1 on rtr1 is the primary interface address then the VPN should work ok (assuming that 1.1.1.1 is reachable from where the client is located.

I am still puzzled about a situation where rtr1 is connected to rtr2 and on that connecting link rtr1 uses 1.1.1.x as primary and rtr2 uses 1.1.1.x as secondary and uses 2.2.2.x as primary. I have seen situations where this kind of thing has caused problems - for example EIGRP and OSPF will not form neighbor relationships where this kind of mismatch exists. But the mismatch by itself will not impact the VPN. The VPN will not use 1.1.1.2 and will not care whether it is a secondary address.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Wed, 03/12/2008 - 12:50

Sai

I have not tested this and I do not know but certain. But I doubt that it will work to have a VPN session where the peer address is a secondary address on a router. In my experience when a router builds a packet from an interface which has a primary and a secondary address the router will use the primary address as the source address of the packet. For your VPN to work the router would need to use the secondary address as the source and I doubt that the router will do this.

Would it be possible to change the VPN and use the router primary address as the peer address? Or would it be possible to reconfigure the router interface and make the current secondary address into the primary address?

HTH

Rick

saimbt Wed, 03/12/2008 - 12:53

Hi Rick,

Let me rephrase my question.

rtr1--rtr2--internet

eth on rtr1 is 1.1.1.1

eth on rtr2 is 1.1.1.2 sec

i build the VPN tunnel from 1.1.1.1

will this work?

Richard Burts Wed, 03/12/2008 - 13:13

Sai

I did not understand your diagram before and do not quite understand it here. Does it really show rtr1 is connected to rtr2 and rtr2 is connected to the Internet? Is there really to be a VPN between rtr1 and rtr2?

If the VPN will terminate on rtr2 on an interface and try to use a secondary address on that interface to terminate the VPN I do not believe that it will work.

I am also puzzled how 1.1.1.1 would be primary on rtr1 and 1.1.1.2 would be secondary on rtr2. What is primary on rtr2? It is an accepted best practice with secondary addressing that all routers on the segment/subnet should use the same subnet for the primary address.

Perhaps you can help me understand this better?

HTH

Rick

saimbt Wed, 03/12/2008 - 13:18

Rick,

there is no VPN betn rtr1 and rtr2. The VPN is from rtr1 over the internet to the client location.

the primary IP on rtr2 is 2.2.2.2 and 1.1.1.2 as secondary.

Correct Answer
Richard Burts Wed, 03/12/2008 - 13:40

Sai

Thanks for helping me to understand the situation better. If the VPN will be between a client somewhere in the Internet and rtr1 using 1.1.1.1 as the VPN peer address. And 1.1.1.1 on rtr1 is the primary interface address then the VPN should work ok (assuming that 1.1.1.1 is reachable from where the client is located.

I am still puzzled about a situation where rtr1 is connected to rtr2 and on that connecting link rtr1 uses 1.1.1.x as primary and rtr2 uses 1.1.1.x as secondary and uses 2.2.2.x as primary. I have seen situations where this kind of thing has caused problems - for example EIGRP and OSPF will not form neighbor relationships where this kind of mismatch exists. But the mismatch by itself will not impact the VPN. The VPN will not use 1.1.1.2 and will not care whether it is a secondary address.

HTH

Rick

saimbt Wed, 03/12/2008 - 13:45

thanxs for the clarification. Will configure and get back to you.

saimbt Wed, 03/12/2008 - 14:40

it worked.. it was some routing issue and it got resolved.

thanxs a ton...

Richard Burts Thu, 03/13/2008 - 05:33

Sai

Thank you for posting back that you have resolved the issue. Thank you for using the rating system to indicate that your problem was solved (and thanks for the rating). It makes the forum more useful when people can read about a problem and can know that they will read a solution to the problem.

The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

Actions

This Discussion