cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
692
Views
5
Helpful
4
Replies

Encrypted ip-load-sharing per-packet

alexander76
Level 1
Level 1

Hi community,

right now we have 2 1841Router with IOS-AdvSec 12.4(19) in use.

The 2 Routers are connected via Serial 0/0/0 and Serial 0/0/1 and do ip load-sharing per-packet. In the future we would like to encrypt this connection. Which configuration steps would be necessary to implement encryption while maintaining ip load-sharing over these 2 serial interfaces?

Would it be possible to use the same crypto Map on both interfaces?

This ist the configuration of the serial interface(s):

Interface Serial0/0/0

ip address x.x.x.x 255.255.255.252

ip load-sharing per-packet

no fair-queue

Interface Serial0/0/1

ip address x.x.x.x 255.255.255.252

ip load-sharing per-packet

no fair-queue

...

This is our standard crypto map which we would like to use:

crypto isakmp policy 100

encr aes

authentication pre-share

group x

crypto isakmp key

xxx

address 1.xx.xx.xx

crypto isakmp identity hostname

!

!

crypto ipsec transform-set AES-256 esp-aes 256 esp-sha-hmac

!

crypto map ROUTERVR 100 ipsec-isakmp

set peer 1.xx.xx.xx

set transform-set AES-256

match address 122

...

Thanks in advance,

Alexander

1 Accepted Solution

Accepted Solutions

Laurent Aubert
Cisco Employee
Cisco Employee

Hi Alexander,

You need two different crypto-map as even if the peer address is different, the proxy ACL is the same so you can't have two entries in the same crypto-map:

crypto isakmp policy 100

encr aes

authentication pre-share

group x

crypto isakmp key xxx address 0.0.0.0

crypto isakmp identity hostname

!

!

crypto ipsec transform-set AES-256 esp-aes 256 esp-sha-hmac

!

crypto map ROUTERVR-S0/0/0 100 ipsec-isakmp

set peer 1.xx.xx.xx

set transform-set AES-256

match address 122

!

crypto map ROUTERVR-S0/0/1 100 ipsec-isakmp

set peer 2.xx.xx.xx

set transform-set AES-256

match address 122

!

Interface Serial0/0/0

crypto-map ROUTERVR-S0/0/0

!

Interface Serial0/0/1

crypto-map ROUTERVR-S0/0/1

!

Keep your static routes to implement load-balancing. the crypto will intercept the packets and encrypt them.

HTH

Laurent.

View solution in original post

4 Replies 4

Laurent Aubert
Cisco Employee
Cisco Employee

Hi Alexander,

You need two different crypto-map as even if the peer address is different, the proxy ACL is the same so you can't have two entries in the same crypto-map:

crypto isakmp policy 100

encr aes

authentication pre-share

group x

crypto isakmp key xxx address 0.0.0.0

crypto isakmp identity hostname

!

!

crypto ipsec transform-set AES-256 esp-aes 256 esp-sha-hmac

!

crypto map ROUTERVR-S0/0/0 100 ipsec-isakmp

set peer 1.xx.xx.xx

set transform-set AES-256

match address 122

!

crypto map ROUTERVR-S0/0/1 100 ipsec-isakmp

set peer 2.xx.xx.xx

set transform-set AES-256

match address 122

!

Interface Serial0/0/0

crypto-map ROUTERVR-S0/0/0

!

Interface Serial0/0/1

crypto-map ROUTERVR-S0/0/1

!

Keep your static routes to implement load-balancing. the crypto will intercept the packets and encrypt them.

HTH

Laurent.

mtorzewski
Level 1
Level 1

Alexander,

I am doing something similar tomorrow and will let you know how it goes. I will be adding IPSEC over two T1 private lines between two sites. I am load sharing per destination versus per packet. I use the same crypto map for both interfaces. I tested this in the lab and it works fine.

I added IPSEC to two serial interfaces successfully today using the same crypto map. The two interfaces are doing load balancing per flow.

paolo bevilacqua
Hall of Fame
Hall of Fame

Have you measured performances when using 1 vs 2 link in per-packer load sharing ?

Probably you're wasting a lot of bandwidth due to out of sequence packets that are be discarded by the host.

For true utilization of both links simultaneously, use only per-flow or MLPPP.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: