Hi,

   Thanks for the reply, I had already tried with changing the policy number but it didnt work. The primary connection from the spoke to hub doesnt terminates. It still shows active when i do show crypto isakmp sa.

       However, I am trying with GRE, The hub and spoke GRE/VPN works fine with eigrp. As soon as i shut down the primary link at the hub side both the gre tunnels(Primary and secondary) goes down. and then eigrp does not creates a neighbour with spoke with no notice and hub and on the spoke side it shows following message

%DUAL-5-NBRCHANGE: IP-EIGRP 64: Neighbor 10.0.0.1 (Tunnel0) is down: holding time expired

%DUAL-5-NBRCHANGE: IP-EIGRP 64: Neighbor 10.0.0.9 (Tunnel1) is down: holding time expired

remember i am talking about the scenario when you have two links to internet on hub and one link to internet at spokes side

Thanks.

Hi，

   Thanks for the reply, I had already tried with changing the policy number but it didnt work. The primary connection from the spoke to hub doesnt terminates. It still shows active when i do show crypto isakmp sa.

Did you configure DPD (dead peer detection)?

       However, I am trying with GRE, The hub and spoke GRE/VPN works fine with eigrp. As soon as i shut down the primary link at the hub side both the gre tunnels(Primary and secondary) goes down. and then eigrp does not creates a neighbour with spoke with no notice and hub and on the spoke side it shows following message

How do you configure the tunnel end points on your spoke? Are you using the  primary link's IP as tunnel destination for primary tunnel and  backup link's IP as tunnel destination for backup tunnel? On your hub router, are you using equal cost static route for both links or floating static route?

Regards,

Lei Tian

Hi Lei,

       Ok i worked out with tunnels and EIGRP and now i am able to successfully create redundancy between HUB and spoke tunnels. I have also checked by forcefully disconnecting my primary link then the eigrp routes are converged from second link.

It works fine before implementing ipsec. Now the problem is that redudant links does not work with IPSEC. The tunnel flicks so does the adjancey .

Here are the config of my hub and spoke

HUB

crypto isakmp policy 1

encr aes

authentication pre-share

group 5

crypto isakmp key cisco123 address 20.20.20.1

crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac

crypto map vpn 10 ipsec-isakmp

   FOR ISP1 to SPOKE

set peer 20.20.20.1

set transform-set aes-sha

match address isp1

crypto map ISP2 20 ipsec-isakmp

set peer 20.20.20.1

set transform-set aes-sha

match address isp2

interface Tunnel0

   Connected to my SPOKE with ISP1

ip address 10.0.0.1 255.255.255.252

tunnel source FastEthernet0/1

tunnel destination 20.20.20.1

interface Tunnel5

WITH ISP2

ip address 10.0.0.9 255.255.255.252

tunnel source Ethernet0/0/0

tunnel destination 20.20.20.1

interface FastEthernet0/1

   ISP1

bandwidth 8000000

ip address 30.30.30.1 255.255.255.252

duplex auto

speed auto

shutdown

crypto map vpn

interface Ethernet0/0/0

ISP2

bandwidth 1000000

ip address 24.24.24.25 255.255.255.252

duplex auto

speed auto

crypto map ISP2

ip access-list extended isp1

permit gre host 30.30.30.1 host 20.20.20.1

ip access-list extended isp1

permit gre host 24.24.24.25 host 20.20.20.1

ip route 0.0.0.0 0.0.0.0 30.30.30.2

ip route 0.0.0.0 0.0.0.0 24.24.24.26 10

SPOKE

crypto isakmp key cisco123 address 24.24.24.25

crypto isakmp key cisco123 address 30.30.30.1

crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac

!

crypto map vpn 10 ipsec-isakmp

set peer 30.30.30.1

set transform-set aes-sha

match address isp1

!

crypto map vpn 11 ipsec-isakmp

set peer 24.24.24.25

set transform-set aes-sha

match address isp2

interface Tunnel0

ip address 10.0.0.2 255.255.255.252

tunnel source FastEthernet0/1

tunnel destination 30.30.30.1

!

!

interface Tunnel1

ip address 10.0.0.10 255.255.255.252

tunnel source FastEthernet0/1

tunnel destination 24.24.24.25

interface FastEthernet0/1

ISP

ip address 20.20.20.1 255.255.255.252

duplex auto

speed auto

crypto map vpn

ip access-list extended isp1

permit gre host 20.20.20.1 host 30.30.30.1

ip access-list extended isp2-lav

permit gre host 20.20.20.1 host 24.24.24.25

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1

Can you help?

Hi,

So you want use 2 links as active/standby? I will configure as following

HUB

crypto isakmp policy 1

encr aes

authentication pre-share

group 5

crypto isakmp key cisco123 address 20.20.20.1

crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac

crypto ipsec profile HUB

set transform-set aes-sha
 

interface Tunnel0

   Connected to my SPOKE with ISP1

bandwidth 10000

ip address 10.0.0.1 255.255.255.252

tunnel source FastEthernet0/1

tunnel destination 20.20.20.1
tunnel key 100
tunnel protection ipsec profile HUB

interface Tunnel5

bandwidth 1000

WITH ISP2

ip address 10.0.0.9 255.255.255.252

tunnel source Ethernet0/0/0

tunnel destination 20.20.20.1
tunnel key 200
tunnel protection ipsec profile HUB

interface FastEthernet0/1

   ISP1

bandwidth 8000000

ip address 30.30.30.1 255.255.255.252

duplex auto

speed auto

interface Ethernet0/0/0

ISP2

bandwidth 1000000

ip address 24.24.24.25 255.255.255.252

duplex auto

speed auto

ip route 0.0.0.0 0.0.0.0 30.30.30.2

ip route 0.0.0.0 0.0.0.0 24.24.24.26 10

router eigrp 1

no auto

net 10.0.0.0

SPOKE

crypto isakmp key cisco123 address 24.24.24.25

crypto isakmp key cisco123 address 30.30.30.1

crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac

!

crypto ipsec profile SPOKE

set transform-set aes-sha

interface Tunnel0

bandwidth 10000
ip address 10.0.0.2 255.255.255.252

tunnel source FastEthernet0/1

tunnel destination 30.30.30.1
tunnel protection ipsec profile SPOKE share
tunnel key 100
!

!

interface Tunnel1
bandwidth 1000
ip address 10.0.0.10 255.255.255.252

tunnel source FastEthernet0/1

tunnel destination 24.24.24.25
tunnel protection ipsec profile SPOKE share
tunnel key 200

interface FastEthernet0/1

ISP

ip address 20.20.20.1 255.255.255.252

duplex auto

speed auto

router eigrp 1

no auto

net 10.0.0.0

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1

Regards,

Lei Tian

Hi Lei,

       In your config no crypto map, no set peer and nor binding of transform set. What is this crypto ipsec profile? It's the first time i am seeing an ipsec config like this. How does it work?

Secondly i got to work with the config i was doing with eigrp. Now in the beginning hub creates adjancey with 4 tunnels a pair each for primary and secondary link. As soon as one goes does the other tunnel comes up automatically and converges the routes. What i did is that i made two different crypto ipsec map one each for primary and secondary link. However, in the acl i permitted gre traffic for both public ips destined to single public ip of hub.

Although i got it working but for my personal knowledge i would appreciate if you could explain the above configuration you have done.

Thanks.

Hi,

Tunnel protection is the recommend way of doing GRE + IPSEC; it uses the tunnel's end points as the ipsec peer by default, and whatever traffic send through the tunnel interface will be encrypted, so no need for ACL. This feature was introduced in 12.2(13)T code; if you are running 12.2(13)T or newer release, I think you should use tunnel protection.

The reason your crypto-map doesnt work is because the primary link is the default, both tunnels use that link when it is up. However, your crypto-map only has the policy for primary tunnel, which will make the backup tunnel's traffic leave as un-encrypted traffic.

Again, I recommend you use tunnel protection, which gives you lease headache; no peers, no acl, no crypto map on physical interface. If you still want use your crypto-map, add another policy for backup tunnel in primary crypto-map.

Hope that helps.

Regards,

Lei Tian

hi,

leitian

I think you are a very good engineer.

Thanks Feng, I take as a compliment ; )

Regards,

Lei Tian