05-12-2009 05:03 AM - edited 03-04-2019 04:44 AM
Hi community,
right now we have 2 1841Router with IOS-AdvSec 12.4(19) in use.
The 2 Routers are connected via Serial 0/0/0 and Serial 0/0/1 and do ip load-sharing per-packet. In the future we would like to encrypt this connection. Which configuration steps would be necessary to implement encryption while maintaining ip load-sharing over these 2 serial interfaces?
Would it be possible to use the same crypto Map on both interfaces?
This ist the configuration of the serial interface(s):
Interface Serial0/0/0
ip address x.x.x.x 255.255.255.252
ip load-sharing per-packet
no fair-queue
Interface Serial0/0/1
ip address x.x.x.x 255.255.255.252
ip load-sharing per-packet
no fair-queue
...
This is our standard crypto map which we would like to use:
crypto isakmp policy 100
encr aes
authentication pre-share
group x
crypto isakmp key
xxx
address 1.xx.xx.xx
crypto isakmp identity hostname
!
!
crypto ipsec transform-set AES-256 esp-aes 256 esp-sha-hmac
!
crypto map ROUTERVR 100 ipsec-isakmp
set peer 1.xx.xx.xx
set transform-set AES-256
match address 122
...
Thanks in advance,
Alexander
Solved! Go to Solution.
05-12-2009 05:35 AM
Hi Alexander,
You need two different crypto-map as even if the peer address is different, the proxy ACL is the same so you can't have two entries in the same crypto-map:
crypto isakmp policy 100
encr aes
authentication pre-share
group x
crypto isakmp key xxx address 0.0.0.0
crypto isakmp identity hostname
!
!
crypto ipsec transform-set AES-256 esp-aes 256 esp-sha-hmac
!
crypto map ROUTERVR-S0/0/0 100 ipsec-isakmp
set peer 1.xx.xx.xx
set transform-set AES-256
match address 122
!
crypto map ROUTERVR-S0/0/1 100 ipsec-isakmp
set peer 2.xx.xx.xx
set transform-set AES-256
match address 122
!
Interface Serial0/0/0
crypto-map ROUTERVR-S0/0/0
!
Interface Serial0/0/1
crypto-map ROUTERVR-S0/0/1
!
Keep your static routes to implement load-balancing. the crypto will intercept the packets and encrypt them.
HTH
Laurent.
05-12-2009 05:35 AM
Hi Alexander,
You need two different crypto-map as even if the peer address is different, the proxy ACL is the same so you can't have two entries in the same crypto-map:
crypto isakmp policy 100
encr aes
authentication pre-share
group x
crypto isakmp key xxx address 0.0.0.0
crypto isakmp identity hostname
!
!
crypto ipsec transform-set AES-256 esp-aes 256 esp-sha-hmac
!
crypto map ROUTERVR-S0/0/0 100 ipsec-isakmp
set peer 1.xx.xx.xx
set transform-set AES-256
match address 122
!
crypto map ROUTERVR-S0/0/1 100 ipsec-isakmp
set peer 2.xx.xx.xx
set transform-set AES-256
match address 122
!
Interface Serial0/0/0
crypto-map ROUTERVR-S0/0/0
!
Interface Serial0/0/1
crypto-map ROUTERVR-S0/0/1
!
Keep your static routes to implement load-balancing. the crypto will intercept the packets and encrypt them.
HTH
Laurent.
05-12-2009 05:48 AM
Alexander,
I am doing something similar tomorrow and will let you know how it goes. I will be adding IPSEC over two T1 private lines between two sites. I am load sharing per destination versus per packet. I use the same crypto map for both interfaces. I tested this in the lab and it works fine.
05-13-2009 10:37 AM
I added IPSEC to two serial interfaces successfully today using the same crypto map. The two interfaces are doing load balancing per flow.
05-12-2009 06:15 AM
Have you measured performances when using 1 vs 2 link in per-packer load sharing ?
Probably you're wasting a lot of bandwidth due to out of sequence packets that are be discarded by the host.
For true utilization of both links simultaneously, use only per-flow or MLPPP.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: