08-28-2010 02:07 AM
Hello Folks,
I have Hub and spoke IPSEC VPN running for one hub and 3 spokes over internet. Everything seems to be running properly, Now what i want to do is that i have two internet links on my HUB and i want to use them as a failover for both VPN and internet.
What in my mind atm is that it could be achieved by making another crypto map policy at spokes and set the peer ip of the failover internet connection at hub side but i am not sure if it will work or not..
Can any one suggest a solution?
THanks
08-28-2010 04:04 AM
Hello,
Yes, you can get active/passive redundancy by configuring multiple policies on same policy-map. The one with lower number will be the primary policy. I think that is not stateful failover, which means all connections need to re-establish once failover from policy active to policy standby.
Or you can configure GRE or DMVPN to have routing protocol running on top of VPN; that way you can get redundancy or load sharing from the routing protocol.
Regards,
Lei Tian
08-28-2010 05:38 AM
Hi,
Thanks for the reply, I had already tried with changing the policy number but it didnt work. The primary connection from the spoke to hub doesnt terminates. It still shows active when i do show crypto isakmp sa.
However, I am trying with GRE, The hub and spoke GRE/VPN works fine with eigrp. As soon as i shut down the primary link at the hub side both the gre tunnels(Primary and secondary) goes down. and then eigrp does not creates a neighbour with spoke with no notice and hub and on the spoke side it shows following message
%DUAL-5-NBRCHANGE: IP-EIGRP 64: Neighbor 10.0.0.1 (Tunnel0) is down: holding time expired
%DUAL-5-NBRCHANGE: IP-EIGRP 64: Neighbor 10.0.0.9 (Tunnel1) is down: holding time expired
remember i am talking about the scenario when you have two links to internet on hub and one link to internet at spokes side
Thanks.
08-28-2010 05:50 AM
Hi,
Thanks for the reply, I had already tried with changing the policy number but it didnt work. The primary connection from the spoke to hub doesnt terminates. It still shows active when i do show crypto isakmp sa.
Did you configure DPD (dead peer detection)?
However, I am trying with GRE, The hub and spoke GRE/VPN works fine with eigrp. As soon as i shut down the primary link at the hub side both the gre tunnels(Primary and secondary) goes down. and then eigrp does not creates a neighbour with spoke with no notice and hub and on the spoke side it shows following message
How do you configure the tunnel end points on your spoke? Are you using the primary link's IP as tunnel destination for primary tunnel and backup link's IP as tunnel destination for backup tunnel? On your hub router, are you using equal cost static route for both links or floating static route?
Regards,
Lei Tian
08-28-2010 08:34 AM
Hi Lei,
Ok i worked out with tunnels and EIGRP and now i am able to successfully create redundancy between HUB and spoke tunnels. I have also checked by forcefully disconnecting my primary link then the eigrp routes are converged from second link.
It works fine before implementing ipsec. Now the problem is that redudant links does not work with IPSEC. The tunnel flicks so does the adjancey .
Here are the config of my hub and spoke
HUB
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key cisco123 address 20.20.20.1
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
FOR ISP1 to SPOKE
set peer 20.20.20.1
set transform-set aes-sha
match address isp1
crypto map ISP2 20 ipsec-isakmp
set peer 20.20.20.1
set transform-set aes-sha
match address isp2
interface Tunnel0
Connected to my SPOKE with ISP1
ip address 10.0.0.1 255.255.255.252
tunnel source FastEthernet0/1
tunnel destination 20.20.20.1
interface Tunnel5
WITH ISP2
ip address 10.0.0.9 255.255.255.252
tunnel source Ethernet0/0/0
tunnel destination 20.20.20.1
interface FastEthernet0/1
ISP1
bandwidth 8000000
ip address 30.30.30.1 255.255.255.252
duplex auto
speed auto
shutdown
crypto map vpn
interface Ethernet0/0/0
ISP2
bandwidth 1000000
ip address 24.24.24.25 255.255.255.252
duplex auto
speed auto
crypto map ISP2
ip access-list extended isp1
permit gre host 30.30.30.1 host 20.20.20.1
ip access-list extended isp1
permit gre host 24.24.24.25 host 20.20.20.1
ip route 0.0.0.0 0.0.0.0 30.30.30.2
ip route 0.0.0.0 0.0.0.0 24.24.24.26 10
SPOKE
crypto isakmp key cisco123 address 24.24.24.25
crypto isakmp key cisco123 address 30.30.30.1
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 30.30.30.1
set transform-set aes-sha
match address isp1
!
crypto map vpn 11 ipsec-isakmp
set peer 24.24.24.25
set transform-set aes-sha
match address isp2
interface Tunnel0
ip address 10.0.0.2 255.255.255.252
tunnel source FastEthernet0/1
tunnel destination 30.30.30.1
!
!
interface Tunnel1
ip address 10.0.0.10 255.255.255.252
tunnel source FastEthernet0/1
tunnel destination 24.24.24.25
interface FastEthernet0/1
ISP
ip address 20.20.20.1 255.255.255.252
duplex auto
speed auto
crypto map vpn
ip access-list extended isp1
permit gre host 20.20.20.1 host 30.30.30.1
ip access-list extended isp2-lav
permit gre host 20.20.20.1 host 24.24.24.25
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
Can you help?
08-28-2010 11:57 AM
Hi,
So you want use 2 links as active/standby? I will configure as following
HUB
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key cisco123 address 20.20.20.1
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
crypto ipsec profile HUB
set transform-set aes-sha
interface Tunnel0
Connected to my SPOKE with ISP1
bandwidth 10000
ip address 10.0.0.1 255.255.255.252
tunnel source FastEthernet0/1
tunnel destination 20.20.20.1
tunnel key 100
tunnel protection ipsec profile HUB
interface Tunnel5
bandwidth 1000
WITH ISP2
ip address 10.0.0.9 255.255.255.252
tunnel source Ethernet0/0/0
tunnel destination 20.20.20.1
tunnel key 200
tunnel protection ipsec profile HUB
interface FastEthernet0/1
ISP1
bandwidth 8000000
ip address 30.30.30.1 255.255.255.252
duplex auto
speed auto
interface Ethernet0/0/0
ISP2
bandwidth 1000000
ip address 24.24.24.25 255.255.255.252
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 30.30.30.2
ip route 0.0.0.0 0.0.0.0 24.24.24.26 10
router eigrp 1
no auto
net 10.0.0.0
SPOKE
crypto isakmp key cisco123 address 24.24.24.25
crypto isakmp key cisco123 address 30.30.30.1
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
!
crypto ipsec profile SPOKE
set transform-set aes-sha
interface Tunnel0
bandwidth 10000
ip address 10.0.0.2 255.255.255.252
tunnel source FastEthernet0/1
tunnel destination 30.30.30.1
tunnel protection ipsec profile SPOKE share
tunnel key 100
!
!
interface Tunnel1
bandwidth 1000
ip address 10.0.0.10 255.255.255.252
tunnel source FastEthernet0/1
tunnel destination 24.24.24.25
tunnel protection ipsec profile SPOKE share
tunnel key 200
interface FastEthernet0/1
ISP
ip address 20.20.20.1 255.255.255.252
duplex auto
speed auto
router eigrp 1
no auto
net 10.0.0.0
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
Regards,
Lei Tian
08-28-2010 10:27 PM
Hi Lei,
In your config no crypto map, no set peer and nor binding of transform set. What is this crypto ipsec profile? It's the first time i am seeing an ipsec config like this. How does it work?
Secondly i got to work with the config i was doing with eigrp. Now in the beginning hub creates adjancey with 4 tunnels a pair each for primary and secondary link. As soon as one goes does the other tunnel comes up automatically and converges the routes. What i did is that i made two different crypto ipsec map one each for primary and secondary link. However, in the acl i permitted gre traffic for both public ips destined to single public ip of hub.
Although i got it working but for my personal knowledge i would appreciate if you could explain the above configuration you have done.
Thanks.
08-29-2010 03:16 AM
Hi,
Tunnel protection is the recommend way of doing GRE + IPSEC; it uses the tunnel's end points as the ipsec peer by default, and whatever traffic send through the tunnel interface will be encrypted, so no need for ACL. This feature was introduced in 12.2(13)T code; if you are running 12.2(13)T or newer release, I think you should use tunnel protection.
The reason your crypto-map doesnt work is because the primary link is the default, both tunnels use that link when it is up. However, your crypto-map only has the policy for primary tunnel, which will make the backup tunnel's traffic leave as un-encrypted traffic.
Again, I recommend you use tunnel protection, which gives you lease headache; no peers, no acl, no crypto map on physical interface. If you still want use your crypto-map, add another policy for backup tunnel in primary crypto-map.
Hope that helps.
Regards,
Lei Tian
08-29-2010 12:27 AM
hi,
leitian
I think you are a very good engineer.
08-29-2010 03:20 AM
Thanks Feng, I take as a compliment ; )
Regards,
Lei Tian
08-28-2010 10:20 AM
Hello,
I think the GRE have some problems.
What Data Stream will been the GRE encapsulation? What Data Stream will been the IPSec encapsulation?
In my opinion ,data stream will not be encapsulated by GRE .Because the default route will lead the data stream to interface F0/1 and not to interface Tunnel 0 or interface Tunnel 5.Therefore ,the GRE encapsulation won't happen , in the result , the IPSec encapsulation won't happen.
My English is poor so my answer may have some grammar mistakes, then cause my answer understand more difficult.
Regards,
Feng Luo
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: