11-02-2008 03:38 PM - edited 02-21-2020 04:01 PM
I am struggling with configuring Cisco1841 to have dual or back up tunnel to two seperate ASA's on our corporate network. There is alot of great doco on DMVPN with routers as hub but is DMVPN the best way to configure this router and the others to fallow. I have no issues creating single normal tunnel to either ASA when I try to get tunnel to each I have issues.
Last attemtp of DMVPN config on 1841
crypto keyring Test
pre-shared-key address #.#.#.# key Test!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp profile L2L
description LAN-to-LAN for spoke router(s) connection
keyring Test
match identity address #.#.#.# 255.255.255.255
!
!
crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set security-association lifetime seconds 28800
set transform-set ESP-3DES
set pfs group2
set isakmp-profile L2L
match address VPN-ACCESS-LIST-100
!
!
!
!
crypto map mymap 10 ipsec-isakmp dynamic dynmap
11-07-2008 07:24 AM
Dmvpn is also a good choice as you have mentioned.The Dynamic Multipoint VPN (DMVPN) feature allows users to better scale large and small IP Security (IPsec) Virtual Private Networks (VPNs) by combining generic routing encapsulation (GRE) tunnels, IPsec encryption, and Next Hop Resolution Protocol (NHRP).It is possible to configure seperate tunnels to 2 different ASA from a router.
11-07-2008 08:16 PM
I got both tunnels working but I would like to be able to control routing better. Is there a good way to have all routing go over a single tunnel in case of a failure. With the below config I can get all 10.160.0.0 and 10.40.0.0 routing over the one tunnel and 10.41.0.0 over the other tunnel but if I similate a tunnel outage I can't get traffic to go to other tunnel I have added a 10.0.0.0 to each access list then both tunnels don't work. I think I have to do the access-list differently. The only way I know how to add routing is if I do tunnel interfaces and I have only done that with router to router tunnels. Is there a way to do that on a Router to ASA configuration?
crypto keyring VGC_PTC
pre-shared-key address ##.##.##.15 key VGC@Test_1
crypto keyring VGC_Tulsa
pre-shared-key address ##.##.##.25 key VGC$Test_2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp profile L2L_Dallas
description LAN-To-LAN for PTC Connection
keyring VGC_PTC
match identity address ##.##.##.15 255.255.255.255
crypto isakmp profile L2L_Tulsa
description LAN-To-LAN for Tulsa Connection
keyring VGC_Tulsa
match identity address ##.##.##.25 255.255.255.255
!
!
crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set security-association lifetime seconds 28800
set transform-set ESP-3DES
set isakmp-profile L2L_Dallas
match address VPN-ACCESS-LIST-100
crypto dynamic-map dynmap 20
set security-association lifetime seconds 28800
set transform-set ESP-3DES
set isakmp-profile L2L_Tulsa
match address VPN-ACCESS-LIST-200
!
!
!
!
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
!
!
ip access-list extended VPN-ACCESS-LIST-100
permit ip 10.207.126.0 0.0.0.255 10.160.0.0 0.0.255.255
permit ip 10.207.126.0 0.0.0.255 10.40.0.0 0.0.255.255
ip access-list extended VPN-ACCESS-LIST-200
permit ip 10.207.126.0 0.0.0.255 10.41.0.0 0.0.255.255
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide