Switching between VPN connections

nickc1976 · ‎08-26-2009

I have two offices which are linked by a vpn connection using Cisco 857 routers. The broadband connection isn't very reliable, so both offices have had a second broadband line installed (through a different ISP).

Each office now has two cisco routers, both configured with a vpn tunnel to each cisco router in the other office.

In office A, both Cisco routers have an internal IP of 192.168.2.1

In office B, both Cisco routers have an internal IP of 192.168.3.1

Only one router at each office is swithched on at any time. The idea is, should the broadband connection drop in either office, the appropriate router can be switched off, and the other router switched on. It would then establish a vpn connection with whichever VPN tunnel was available.

I have tested this, but it is not working as expected.

Office A can make a successful VPN tunnel to office B when both use router A

When the router at either end is changed, the VPN tunnels cannot be established. However,

Office A can make a successful VPN tunnel to office B when both use router B

Is it possible to achieve this?

Yudong Wu · ‎08-26-2009

Can you provide?

- topology

- current config on all 4 routers

- debug output of "debug crypto isa sa" and "debug crypto ipsec sa".

nickc1976 · ‎08-28-2009

Attached is a picture of the topology. The solid vpn lines are the connections which work. The dotted lines are vpn connections which don't work.

Yudong Wu · ‎08-28-2009

I suggest you to configure HSRP on LAN interface between two routers so that you don't need manually switch off the router. As for why VPN not working, I still need the following info

- current config on all 4 routers

- debug output of "debug crypto isa sa" and "debug crypto ipsec sa" when vpn is not working.

nickc1976 · ‎08-28-2009

configs

nickc1976 · ‎08-28-2009

Final config

nickc1976 · ‎08-28-2009

"debug crypto isa sa" and "debug crypto ipsec sa" did not work, so I used "show crypto isa sa" and "show crypto ipsec sa" instead

nickc1976 · ‎08-28-2009

"show crypto isa sa" and "show crypto ipsec sa"

Yudong Wu · ‎08-31-2009

Config looks good if you did not have any typo on IP address. Let's try the following.

1. establish VPN on routerA between office A and B.

2. enable debug on router A at office A and router B at office B

- debug crypto isa

- debug crypto ipsec

3. shut down router A at office B. I am not sure how the traffic is sent between office A and B. But if you use a PC in the inside network, you need pay attention to its ARP entry of default gataway IP. It might still point out to router A. That's why I suggest you to use HSRP here. Remember that you must have the related traffic to bring up the VPN.

4. The debug output form both sides should give us a clue on why vpn between routerA and routerB could not be established. HTH.

nickc1976 · ‎09-01-2009

Thanks for the advice. I will try the vpn test as soon as I can.

I have not used or configured HSRP before. I am not sure whether it is support on my router (857), is there an easy command I can issue to test?

If there is no traffic - will the VPN still be established? or must there be some traffic first?

Thanks

Nick

Yudong Wu · ‎09-01-2009

Here is the link to HSRP

http://www.cisco.com/en/US/docs/internetworking/case/studies/cs009.html

No, VPN won't be established until you initiate traffic which need to go through the VPN tunnel.