Solved: Outbound VPN 2 ISP - No Bgp - Multihome - Failover

www.itnetcr · ‎09-20-2008

Hello Experts,

I have read and read an read...so I appreciate any help. I would like to configure outbound VPN with 2 ISP's since a new HWIC was installed on my 1841.

BGP is not an option because the internet links don't talk to each other.

I understand that this can be accomplished with ip sla and object tracking, but I don't know

if I need some tweaking with the VPN traffic so that it can failover or it this config will actually work.

Would like your input as it is on a live environment and I can't test on a lab.

My requirements are as follows:

1- I only need 1 host computer (172.16.4.20) to exit thru the second (Antena_NEW_Gateway) interface FA0/1/0 via VPN

with gateway 192.168.51.1 and to failover to the "original" default gateway (Rest network is using) in case it fails.

2- All my other VPN network traffic remains the same exiting thru my original default gateway (190.11.1.1)

Interfaces are as follows:

interface FastEthernet0/0

description OUTSIDE

ip address dhcp client-id FastEthernet0/0

crypto map 3desmap

!

interface FastEthernet0/1

description inside

ip address 172.16.4.60 255.255.255.0

!

interface FastEthernet0/1/0

description ANTENA_NEW_Gateway

ip address 192.168.51.2 255.255.255.0

crypto map acts1

ip policy route-map acts

Please let me know if I'm missing something. I created a different crypto map for the 2nd interface, I'm using the same transform-set and interesting traffic acl from before.

interface FastEthernet0/1/0

description ANTENA_NEW_Gateway

ip address 192.168.51.2 255.255.255.0

crypto map acts1

ip policy route-map acts

ip route 0.0.0.0 0.0.0.0 190.11.1.1

ip route host 172.16.4.20 192.168.51.1 track 123

ip route host 172.16.4.20 190.11.1.1 254

ip sla 1

icmp-echo 192.168.51.1

timeout 1000

threshold 2

frequency 3

ip sla schedule 1 life forever start-time now

track 123 rtr 1 reachability

access-list 101 permit icmp any host 192.168.51.1 echo

route-map acts permit 10

Router(config-route-map)# match ip address 101

Router(config-route-map)# set interface FastEthernet0/1/0 Null 0

Router(config-route-map)# exit

I'm also attaching my configuration.

Marwan ALshawi · ‎09-20-2008

the route map should looks like

rout-map acts1 permit 10

match ip address 1

set ip next-hop 192.168.51.1

rout-map acts1 permit 20

set ip next-hop 190.11.1.1

access-list 1 permit host 172.16.4.20

then apply it to the source interface which is in ur case interface FastEthernet0/1

interface FastEthernet0/1

ip policy route-map acts1

remove the old route map from the outside interface!!

good luck

if helpful Rate

View solution in original post

Marwan ALshawi · ‎09-20-2008

the route map should looks like

rout-map acts1 permit 10

match ip address 1

set ip next-hop 192.168.51.1

rout-map acts1 permit 20

set ip next-hop 190.11.1.1

access-list 1 permit host 172.16.4.20

then apply it to the source interface which is in ur case interface FastEthernet0/1

interface FastEthernet0/1

ip policy route-map acts1

remove the old route map from the outside interface!!

good luck

if helpful Rate

www.itnetcr · ‎09-21-2008

Thank you marwanshawi,

I will test it hopefully in the next couple of days. (By the way, you are a genious!!)

you make it look very easy.

Just to confirm,

1- I remove and the route-map from the outside interface, apply the new

Route map to the inside interface, and leave the rest of the config as is correct?

2- I also assume that the static routing is ok and hopefully vpn will function????

ip route 0.0.0.0 0.0.0.0 190.11.1.1

ip route host 172.16.4.20 192.168.51.1 track 123

ip route host 172.16.4.20 190.11.1.1 254

Appreciate your help and time. I will definetely rate this post after testing!! :-)