point to multipoint vpn question

Unanswered Question
Mar 2nd, 2010
User Badges:

Hi,


I have a router with crypto map applied to an interface.  This crypto map has two remote peers with the below configuration.


crypto map test 10 isakmp-ipsec

set peer 1.1.1.1

set peer 2.2.2.2

set transform-set tset

match address 101


access-list 101 permit ip 5.5.5.0 0.0.0.255 6.6.6.0 0.0.0.255


These two remote peers are two routers that are accessing the same resource which is 6.6.6.0/24.


My question has something to do with asymmetric routing.  If i have a packet that comes out my vpn interface to one peer say 1.1.1.1 but goes back from 2.2.2.2, will this work?  From my simulations, it doesn't.  If this won't work, is there a way to allow this type of vpn traffic?  I mean if i send traffic out to peer 1.1.1.1 and it comes back from 2.2.2.2 or if remote site sends out from 1.1.1.1 and i can reply back to peer 2.2.2.2 it won't cause problems.


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 03/02/2010 - 09:17
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

marcusbrutus wrote:


Hi,


I have a router with crypto map applied to an interface.  This crypto map has two remote peers with the below configuration.


crypto map test 10 isakmp-ipsec

set peer 1.1.1.1

set peer 2.2.2.2

set transform-set tset

match address 101


access-list 101 permit ip 5.5.5.0 0.0.0.255 6.6.6.0 0.0.0.255


These two remote peers are two routers that are accessing the same resource which is 6.6.6.0/24.


My question has something to do with asymmetric routing.  If i have a packet that comes out my vpn interface to one peer say 1.1.1.1 but goes back from 2.2.2.2, will this work?  From my simulations, it doesn't.  If this won't work, is there a way to allow this type of vpn traffic?  I mean if i send traffic out to peer 1.1.1.1 and it comes back from 2.2.2.2 or if remote site sends out from 1.1.1.1 and i can reply back to peer 2.2.2.2 it won't cause problems.


Thanks.


Mark


Are these 2 peers in different remote sites ? If so i am surprised if this is working because your config is basically using 2 peers as redundant connections for the same VPN.


If these are separate connections from different sites then are they both using 5.5.5.0/24 as their subnet ? If so you could NAT one of them at the remote end if you control both ends.


Can you clarify ?


Jon

marcusbrutus Tue, 03/02/2010 - 10:59
User Badges:

Hi Jon,


The two router peers are on the same branch office.  They have two routers running on their perimeter for redundancy.  One router with IP 1.1.1.1 and the other 2.2.2.2.  The 5.5.5.0 subnet is a resource on their internal network.

Jon Marshall Tue, 03/02/2010 - 11:39
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mark


If the 2 routers are in the same office could you not run HSRP between them and then only one router will be used to intiate the tunnel. How do these routers exhange routes with your head office router ?


Jon

Actions

This Discussion