04-22-2009 04:00 PM - edited 03-11-2019 08:22 AM
using IOS firewall on a 2811, management wants to have VPN peer redundancy on the 2811 remote office two different regional 3030 concentrators. The remote 2811 has a current VPN LAN-to-LAN with one of the 3030s. There will be two separate Ethernet LAN connections and one Ethernet WAN connection to the ISP edge router. Question is how would one configure the 2811 to support two different VPN peers with one LAN going to one VPN peer and the other LAN going to the other VPN peer?
Solved! Go to Solution.
04-23-2009 05:25 AM
Kevin
Apologies but i'm obviously having one of my stupid days because i'm still not fully understanding.
crypto map ctmap 10 ipsec-isakmp
set peer 141.x.1.12
set peer 141.1.x.12
set transform-set ctset
match address 102
what the above will do is use 141.x.1.12 as the VPN peer. If that VPN peer is down for some reason then 141.1.x.12 will be used instead. So this does provide some level of redundancy.
Where i'm getting a bit confused is from your original description ie.
"There will be two separate Ethernet LAN connections and one Ethernet WAN connection to the ISP edge router."
Jon
04-23-2009 01:36 AM
Kevin
If i understand correctly you have 2 lans behind your 2811 and you want one to go to one peer and one to go to the other ?
If so then you just have multiple entries in your crypto map on the 2811.
Perhaps you could elaborate so i we can give good advice ?
Jon
04-23-2009 04:34 AM
hi Jon,
The current VPN solution is a 515e 6.3(5) to 3030 LAN-to-LAN IPSec connection.
This will be moved over to a 2811 12.4 IOS Firewall (replaces the 515e) to 3030 LAN-to-LAN IPSec connection.
Next, create another IPSec profile on the 2811 router which will have it's own LAN-to-LAN IPSec connection to a different 3030 concentrator.
so far example would the IPSec map look like this?
!
crypto map ctmap 10 ipsec-isakmp
set peer 141.x.1.12
set peer 141.1.x.12
set transform-set ctset
match address 102
!
thanks, Kevin
04-23-2009 05:25 AM
Kevin
Apologies but i'm obviously having one of my stupid days because i'm still not fully understanding.
crypto map ctmap 10 ipsec-isakmp
set peer 141.x.1.12
set peer 141.1.x.12
set transform-set ctset
match address 102
what the above will do is use 141.x.1.12 as the VPN peer. If that VPN peer is down for some reason then 141.1.x.12 will be used instead. So this does provide some level of redundancy.
Where i'm getting a bit confused is from your original description ie.
"There will be two separate Ethernet LAN connections and one Ethernet WAN connection to the ISP edge router."
Jon
04-23-2009 06:19 AM
Jon, change of plan, we're going to seperate the remote site's two LANs and assign one to one IPSec peer profile and the other LAN to the other IPSec peer.. so, there'll be just one crypto-map -w- two crypto-map ID policies... something like - crypto-map cap 10 & crypto cap 20 , thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide