Switching between VPN connections

Unanswered Question
Aug 26th, 2009
User Badges:

I have two offices which are linked by a vpn connection using Cisco 857 routers. The broadband connection isn't very reliable, so both offices have had a second broadband line installed (through a different ISP).


Each office now has two cisco routers, both configured with a vpn tunnel to each cisco router in the other office.


In office A, both Cisco routers have an internal IP of 192.168.2.1

In office B, both Cisco routers have an internal IP of 192.168.3.1


Only one router at each office is swithched on at any time. The idea is, should the broadband connection drop in either office, the appropriate router can be switched off, and the other router switched on. It would then establish a vpn connection with whichever VPN tunnel was available.


I have tested this, but it is not working as expected.


Office A can make a successful VPN tunnel to office B when both use router A

When the router at either end is changed, the VPN tunnels cannot be established. However,

Office A can make a successful VPN tunnel to office B when both use router B


Is it possible to achieve this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Yudong Wu Wed, 08/26/2009 - 09:24
User Badges:
  • Gold, 750 points or more

Can you provide?

- topology

- current config on all 4 routers

- debug output of "debug crypto isa sa" and "debug crypto ipsec sa".

nickc1976 Fri, 08/28/2009 - 07:18
User Badges:

Attached is a picture of the topology. The solid vpn lines are the connections which work. The dotted lines are vpn connections which don't work.



Yudong Wu Fri, 08/28/2009 - 07:26
User Badges:
  • Gold, 750 points or more

I suggest you to configure HSRP on LAN interface between two routers so that you don't need manually switch off the router. As for why VPN not working, I still need the following info

- current config on all 4 routers

- debug output of "debug crypto isa sa" and "debug crypto ipsec sa" when vpn is not working.



Yudong Wu Mon, 08/31/2009 - 09:52
User Badges:
  • Gold, 750 points or more

Config looks good if you did not have any typo on IP address. Let's try the following.

1. establish VPN on routerA between office A and B.

2. enable debug on router A at office A and router B at office B

- debug crypto isa

- debug crypto ipsec

3. shut down router A at office B. I am not sure how the traffic is sent between office A and B. But if you use a PC in the inside network, you need pay attention to its ARP entry of default gataway IP. It might still point out to router A. That's why I suggest you to use HSRP here. Remember that you must have the related traffic to bring up the VPN.

4. The debug output form both sides should give us a clue on why vpn between routerA and routerB could not be established. HTH.


nickc1976 Tue, 09/01/2009 - 06:33
User Badges:

Thanks for the advice. I will try the vpn test as soon as I can.


I have not used or configured HSRP before. I am not sure whether it is support on my router (857), is there an easy command I can issue to test?


If there is no traffic - will the VPN still be established? or must there be some traffic first?


Thanks


Nick

Actions

This Discussion