Solved: Can 2 IPSec profiles attach to a WAN interface crypto-map?

ksvy_ksvy · ‎04-22-2009

using IOS firewall on a 2811, management wants to have VPN peer redundancy on the 2811 remote office two different regional 3030 concentrators. The remote 2811 has a current VPN LAN-to-LAN with one of the 3030s. There will be two separate Ethernet LAN connections and one Ethernet WAN connection to the ISP edge router. Question is how would one configure the 2811 to support two different VPN peers with one LAN going to one VPN peer and the other LAN going to the other VPN peer?

Jon Marshall · ‎04-23-2009

Kevin

Apologies but i'm obviously having one of my stupid days because i'm still not fully understanding.

crypto map ctmap 10 ipsec-isakmp

set peer 141.x.1.12

set peer 141.1.x.12

set transform-set ctset

match address 102

what the above will do is use 141.x.1.12 as the VPN peer. If that VPN peer is down for some reason then 141.1.x.12 will be used instead. So this does provide some level of redundancy.

Where i'm getting a bit confused is from your original description ie.

"There will be two separate Ethernet LAN connections and one Ethernet WAN connection to the ISP edge router."

Jon

View solution in original post

Jon Marshall · ‎04-23-2009

Kevin

If i understand correctly you have 2 lans behind your 2811 and you want one to go to one peer and one to go to the other ?

If so then you just have multiple entries in your crypto map on the 2811.

Perhaps you could elaborate so i we can give good advice ?

Jon

ksvy_ksvy · ‎04-23-2009

hi Jon,

The current VPN solution is a 515e 6.3(5) to 3030 LAN-to-LAN IPSec connection.

This will be moved over to a 2811 12.4 IOS Firewall (replaces the 515e) to 3030 LAN-to-LAN IPSec connection.

Next, create another IPSec profile on the 2811 router which will have it's own LAN-to-LAN IPSec connection to a different 3030 concentrator.

so far example would the IPSec map look like this?

!

crypto map ctmap 10 ipsec-isakmp

set peer 141.x.1.12

set peer 141.1.x.12

set transform-set ctset

match address 102

!

thanks, Kevin

Jon Marshall · ‎04-23-2009

Kevin

Apologies but i'm obviously having one of my stupid days because i'm still not fully understanding.

crypto map ctmap 10 ipsec-isakmp

set peer 141.x.1.12

set peer 141.1.x.12

set transform-set ctset

match address 102

what the above will do is use 141.x.1.12 as the VPN peer. If that VPN peer is down for some reason then 141.1.x.12 will be used instead. So this does provide some level of redundancy.

Where i'm getting a bit confused is from your original description ie.

"There will be two separate Ethernet LAN connections and one Ethernet WAN connection to the ISP edge router."

Jon

ksvy_ksvy · ‎04-23-2009

Jon, change of plan, we're going to seperate the remote site's two LANs and assign one to one IPSec peer profile and the other LAN to the other IPSec peer.. so, there'll be just one crypto-map -w- two crypto-map ID policies... something like - crypto-map cap 10 & crypto cap 20 , thanks