dual-isp-router / two ipsec tunnels to same location

Unanswered Question
Feb 1st, 2010

Hi, here's what I would like to do:
I have a router with two public IPs from two different providers.
I have TWO inside vlans - Now, I want TWO ipsec tunnels, both to the same location. One tunnel will serve vlan1, the other vlan2.
Goal is that users in vlan1 will use the first ipsec tunnel and the bandwidth of the first isp and users in vlan2 will use the other ipsec tunnel and isp2.
Current config:
---
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 28800

crypto isakmp key 1hVBl0J0P3 address 212.3.244.4
!
crypto ipsec transform-set unhq esp-aes esp-sha-hmac
!
crypto map Viawan2 10 ipsec-isakmp
set peer 212.3.244.4
set security-association lifetime seconds 28800
set transform-set unhq
set pfs group2
match address 130
!
crypto map ViaViacom 10 ipsec-isakmp
description VPN-USYS-TO-BE01
set peer 212.3.244.4
set security-association lifetime seconds 28800
set transform-set unhq
set pfs group2
match address 150
!
!
!
!
interface FastEthernet0
ip address 95.43.228.170 255.255.255.248
crypto map ViaViacom
!
interface FastEthernet1
ip address 213.16.47.30 255.255.255.252
ip nat outside
crypto map Viawan2

interface Vlan1
ip address 10.38.0.160 255.255.255.0
ip nat inside
ip policy route-map defaultroute_wan2
!
interface Vlan3
ip address 10.38.1.161 255.255.255.0
ip policy route-map defaultroute_vivacom
!
ip route 0.0.0.0 0.0.0.0 213.16.47.29 10
ip route 0.0.0.0 0.0.0.0 95.43.228.169 100
!
!
ip nat inside source list 160 interface FastEthernet1 overload
!
access-list 130 permit ip 10.38.0.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 150 permit ip 10.38.1.0 0.0.0.255 192.168.0.0 0.0.255.255
!
access-list 160 deny   ip 10.38.0.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 160 deny   ip 10.38.0.0 0.0.0.255 10.48.0.0 0.0.255.255
access-list 160 deny   ip 10.38.0.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 160 deny   ip 10.38.1.0 0.0.0.255 any
access-list 160 permit ip 10.38.0.0 0.0.0.255 any
access-list 160 deny   ip any any
!
access-list 170 remark default route wan2
access-list 170 permit ip 10.38.0.0 0.0.0.255 any
access-list 170 deny   ip 10.38.1.0 0.0.0.255 any
access-list 170 deny   ip any any
!
access-list 180 remark default route viacom
access-list 180 permit ip 10.38.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 180 deny   ip 10.38.1.0 0.0.0.255 any
access-list 180 deny   ip 10.38.0.0 0.0.0.255 any
access-list 180 deny   ip any any
!
!
route-map defaultroute_wan2 permit 10
match ip address 170
set ip next-hop 213.16.47.29
!
route-map defaultroute_vivacom permit 10
match ip address 180
set ip next-hop 95.43.228.169
---
any help would be greatly appreciated!!!
Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mohamed Sobair Mon, 02/01/2010 - 03:27

Hi,

Your config look Ok , could you elaborate on what is your current problem?

Mohamed

johanhofmans Tue, 02/02/2010 - 00:21

my apologies - there was an error in the remote asa config that caused the 2nd tunnel to not come up.

I was confused with the dual default route - I tought there was a problem with that.

problem is fixed now.

Thanks for all input anyway...

Actions

This Discussion