Encrypted ip-load-sharing per-packet

Answered Question
May 12th, 2009

Hi community,

right now we have 2 1841Router with IOS-AdvSec 12.4(19) in use.

The 2 Routers are connected via Serial 0/0/0 and Serial 0/0/1 and do ip load-sharing per-packet. In the future we would like to encrypt this connection. Which configuration steps would be necessary to implement encryption while maintaining ip load-sharing over these 2 serial interfaces?

Would it be possible to use the same crypto Map on both interfaces?

This ist the configuration of the serial interface(s):

Interface Serial0/0/0

ip address x.x.x.x 255.255.255.252

ip load-sharing per-packet

no fair-queue

Interface Serial0/0/1

ip address x.x.x.x 255.255.255.252

ip load-sharing per-packet

no fair-queue

...

This is our standard crypto map which we would like to use:

crypto isakmp policy 100

encr aes

authentication pre-share

group x

crypto isakmp key

xxx

address 1.xx.xx.xx

crypto isakmp identity hostname

!

!

crypto ipsec transform-set AES-256 esp-aes 256 esp-sha-hmac

!

crypto map ROUTERVR 100 ipsec-isakmp

set peer 1.xx.xx.xx

set transform-set AES-256

match address 122

...

Thanks in advance,

Alexander

I have this problem too.
0 votes
Correct Answer by Laurent Aubert about 7 years 6 months ago

Hi Alexander,

You need two different crypto-map as even if the peer address is different, the proxy ACL is the same so you can't have two entries in the same crypto-map:

crypto isakmp policy 100

encr aes

authentication pre-share

group x

crypto isakmp key xxx address 0.0.0.0

crypto isakmp identity hostname

!

!

crypto ipsec transform-set AES-256 esp-aes 256 esp-sha-hmac

!

crypto map ROUTERVR-S0/0/0 100 ipsec-isakmp

set peer 1.xx.xx.xx

set transform-set AES-256

match address 122

!

crypto map ROUTERVR-S0/0/1 100 ipsec-isakmp

set peer 2.xx.xx.xx

set transform-set AES-256

match address 122

!

Interface Serial0/0/0

crypto-map ROUTERVR-S0/0/0

!

Interface Serial0/0/1

crypto-map ROUTERVR-S0/0/1

!

Keep your static routes to implement load-balancing. the crypto will intercept the packets and encrypt them.

HTH

Laurent.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Laurent Aubert Tue, 05/12/2009 - 05:35

Hi Alexander,

You need two different crypto-map as even if the peer address is different, the proxy ACL is the same so you can't have two entries in the same crypto-map:

crypto isakmp policy 100

encr aes

authentication pre-share

group x

crypto isakmp key xxx address 0.0.0.0

crypto isakmp identity hostname

!

!

crypto ipsec transform-set AES-256 esp-aes 256 esp-sha-hmac

!

crypto map ROUTERVR-S0/0/0 100 ipsec-isakmp

set peer 1.xx.xx.xx

set transform-set AES-256

match address 122

!

crypto map ROUTERVR-S0/0/1 100 ipsec-isakmp

set peer 2.xx.xx.xx

set transform-set AES-256

match address 122

!

Interface Serial0/0/0

crypto-map ROUTERVR-S0/0/0

!

Interface Serial0/0/1

crypto-map ROUTERVR-S0/0/1

!

Keep your static routes to implement load-balancing. the crypto will intercept the packets and encrypt them.

HTH

Laurent.

mtorzewski Tue, 05/12/2009 - 05:48

Alexander,

I am doing something similar tomorrow and will let you know how it goes. I will be adding IPSEC over two T1 private lines between two sites. I am load sharing per destination versus per packet. I use the same crypto map for both interfaces. I tested this in the lab and it works fine.

mtorzewski Wed, 05/13/2009 - 10:37

I added IPSEC to two serial interfaces successfully today using the same crypto map. The two interfaces are doing load balancing per flow.

Paolo Bevilacqua Tue, 05/12/2009 - 06:15

Have you measured performances when using 1 vs 2 link in per-packer load sharing ?

Probably you're wasting a lot of bandwidth due to out of sequence packets that are be discarded by the host.

For true utilization of both links simultaneously, use only per-flow or MLPPP.

Actions

This Discussion