Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
891
Views
0
Helpful
3
Replies

point to multipoint vpn question

marcusbrutus
Level 1
Level 1

‎03-02-2010 07:09 AM

Hi,

I have a router with crypto map applied to an interface.  This crypto map has two remote peers with the below configuration.

crypto map test 10 isakmp-ipsec

set peer 1.1.1.1

set peer 2.2.2.2

set transform-set tset

match address 101

access-list 101 permit ip 5.5.5.0 0.0.0.255 6.6.6.0 0.0.0.255

These two remote peers are two routers that are accessing the same resource which is 6.6.6.0/24.

My question has something to do with asymmetric routing.  If i have a packet that comes out my vpn interface to one peer say 1.1.1.1 but goes back from 2.2.2.2, will this work?  From my simulations, it doesn't.  If this won't work, is there a way to allow this type of vpn traffic?  I mean if i send traffic out to peer 1.1.1.1 and it comes back from 2.2.2.2 or if remote site sends out from 1.1.1.1 and i can reply back to peer 2.2.2.2 it won't cause problems.

Thanks.

Labels:
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎03-02-2010 09:17 AM 

marcusbrutus wrote:
Hi,
I have a router with crypto map applied to an interface.  This crypto map has two remote peers with the below configuration.
crypto map test 10 isakmp-ipsec
set peer 1.1.1.1
set peer 2.2.2.2
set transform-set tset
match address 101
access-list 101 permit ip 5.5.5.0 0.0.0.255 6.6.6.0 0.0.0.255
These two remote peers are two routers that are accessing the same resource which is 6.6.6.0/24.
My question has something to do with asymmetric routing.  If i have a packet that comes out my vpn interface to one peer say 1.1.1.1 but goes back from 2.2.2.2, will this work?  From my simulations, it doesn't.  If this won't work, is there a way to allow this type of vpn traffic?  I mean if i send traffic out to peer 1.1.1.1 and it comes back from 2.2.2.2 or if remote site sends out from 1.1.1.1 and i can reply back to peer 2.2.2.2 it won't cause problems.
Thanks.

Mark

Are these 2 peers in different remote sites ? If so i am surprised if this is working because your config is basically using 2 peers as redundant connections for the same VPN.

If these are separate connections from different sites then are they both using 5.5.5.0/24 as their subnet ? If so you could NAT one of them at the remote end if you control both ends.

Can you clarify ?

Jon

0 Helpful

marcusbrutus
Level 1
Level 1
In response to Jon Marshall

‎03-02-2010 10:59 AM

Hi Jon,

The two router peers are on the same branch office.  They have two routers running on their perimeter for redundancy.  One router with IP 1.1.1.1 and the other 2.2.2.2.  The 5.5.5.0 subnet is a resource on their internal network.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to marcusbrutus

‎03-02-2010 11:39 AM

Mark

If the 2 routers are in the same office could you not run HSRP between them and then only one router will be used to intiate the tunnel. How do these routers exhange routes with your head office router ?

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents