IPSEC Configuration

Answered Question
apcbpcbpcl Mon, 09/30/2013 - 09:24

we have two Router in DC setup. In router-1, SP1 link is terminated & in Router2, SP2 link is terminated.in both the router, with MPLS cloud, BGP is configured.

In Router1 VLAN2 IP: 172.26.0.253.

In Router2 VLAN2 IP: 172.26.4.253.

DC subnet: 172.24.0.0/24

Branch End LAN Segment: 172.27.1.128/27

Now from branch, we trying to implement IPSEC tunnel for DC Segment. SP1 & SP2 is configured as Active-standby.

In DC both Router config:

crypto isakmp policy 10

hash md5

encr 3des

authentication pre-share

crypto isakmp key <> address 0.0.0.0 0.0.0.0 no-xauth

crypto isakmp keepalive 30 5

crypto ipsec transform-set APDRPSET esp-3des esp-sha-hmac

crypto dynamic-map APDRPMAP 6

set transform-set APDRPSET

crypto map APDRPMAIN 6 ipsec-isakmp dynamic APDRPMAP

int vlan 2

crypto map APDRPMAIN

IN Branch Router Config:

crypto isakmp policy 10

hash md5

encr 3des

authentication pre-share

crypto isakmp keepalive 30 5

crypto isakmp key <>address 172.26.0.253 no-xauth

crypto isakmp key <> address 172.26.4.253 no-xauth

crypto ipsec transform-set APDRPSET esp-3des esp-sha-hmac

mode tunnel

no crypto map APDRPMAP 6 ipsec-isakmp

set peer 172.26.0.253

set transform-set APDRPSET

match address 130

crypto map APDRPMAP 12 ipsec-isakmp

set peer 172.26.4.253

set transform-set APDRPSET

match address 130

access-list 130 permit ip 172.27.1.128 0.0.0.31 172.24.0.0 0.0.255.255

access-list 130 permit ip 172.17.220.32 0.0.0.3 172.24.0.0 0.0.255.255

aaccess-list 130 deny ip 172.27.1.128 0.0.0.31 any

access-list 130 deny ip 172.17.220.32 0.0.0.3 any

int gi 0/0

crypto map APDRPMAP

int gi 0/1 --> Secondary MPLS link.

crypto map APDRPMAP

Problem:

When, in branch end, both the link is up, it is creating tunnel with DC Primary Router IP: 172.26.0.253 & working perfectly fine.

When in branch end, primary link is going down, traffic towards sourcing DC is going via gi0/1. in Crypto, it is trying to peering with Primary DC Router IP only instead of Secondary DC-Router IP & resulting which, tunnel is not able to form.the state is MM_No State.

When, primary link is coming up, it is peering with 172.26.0.253 again & working fine.

we have tried to clear to crypto sessions in both the cases but didnt get expected result.

Pls let us know, where exactly we are doing wrong.

Actions

This Discussion