08-26-2009 07:48 AM - edited 03-06-2019 07:26 AM
I have two offices which are linked by a vpn connection using Cisco 857 routers. The broadband connection isn't very reliable, so both offices have had a second broadband line installed (through a different ISP).
Each office now has two cisco routers, both configured with a vpn tunnel to each cisco router in the other office.
In office A, both Cisco routers have an internal IP of 192.168.2.1
In office B, both Cisco routers have an internal IP of 192.168.3.1
Only one router at each office is swithched on at any time. The idea is, should the broadband connection drop in either office, the appropriate router can be switched off, and the other router switched on. It would then establish a vpn connection with whichever VPN tunnel was available.
I have tested this, but it is not working as expected.
Office A can make a successful VPN tunnel to office B when both use router A
When the router at either end is changed, the VPN tunnels cannot be established. However,
Office A can make a successful VPN tunnel to office B when both use router B
Is it possible to achieve this?
08-26-2009 09:24 AM
Can you provide?
- topology
- current config on all 4 routers
- debug output of "debug crypto isa sa" and "debug crypto ipsec sa".
08-28-2009 07:18 AM
08-28-2009 07:26 AM
I suggest you to configure HSRP on LAN interface between two routers so that you don't need manually switch off the router. As for why VPN not working, I still need the following info
- current config on all 4 routers
- debug output of "debug crypto isa sa" and "debug crypto ipsec sa" when vpn is not working.
08-28-2009 07:37 AM
08-28-2009 07:37 AM
08-28-2009 07:41 AM
08-28-2009 07:42 AM
08-31-2009 09:52 AM
Config looks good if you did not have any typo on IP address. Let's try the following.
1. establish VPN on routerA between office A and B.
2. enable debug on router A at office A and router B at office B
- debug crypto isa
- debug crypto ipsec
3. shut down router A at office B. I am not sure how the traffic is sent between office A and B. But if you use a PC in the inside network, you need pay attention to its ARP entry of default gataway IP. It might still point out to router A. That's why I suggest you to use HSRP here. Remember that you must have the related traffic to bring up the VPN.
4. The debug output form both sides should give us a clue on why vpn between routerA and routerB could not be established. HTH.
09-01-2009 06:33 AM
Thanks for the advice. I will try the vpn test as soon as I can.
I have not used or configured HSRP before. I am not sure whether it is support on my router (857), is there an easy command I can issue to test?
If there is no traffic - will the VPN still be established? or must there be some traffic first?
Thanks
Nick
09-01-2009 07:31 AM
Here is the link to HSRP
http://www.cisco.com/en/US/docs/internetworking/case/studies/cs009.html
No, VPN won't be established until you initiate traffic which need to go through the VPN tunnel.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide