connected to 2 remote peers in site to site vpn

Unanswered Question
Sep 18th, 2010

Hi all,

I have a cisco 1841 router which is connected to a partner site via site to site vpn.

Our partner has given us ip addresses of 2 remote peers that we can use to establish the site to site vpn for backup purpose.

On one occassion, our router was connected to 2 remote peers and it seem to cause our connection to fail. I removed connection to 1 of the remote peer and it works fine after that. Pls advise if concurrent connection to 2 remote peers will result in connectivity problem.

Below is a portion of the router config showing phase1 and phase2 config. Thks in advance.

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key yyyyyyyy address 1.x.x.x

crypto isakmp key yyyyyyyy address 2.x.x.x
crypto isakmp keepalive 10 3
!
!
crypto ipsec transform-set test esp-3des esp-sha-hmac
!
crypto map testing 50 ipsec-isakmp
set peer 1.x.x.x

set peer 2.x.x.x
set security-association lifetime seconds 300000
set transform-set test
set pfs group2
match address 101

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
praprama Sat, 09/18/2010 - 07:56

Hey,

The reason for that could have been the fact that the remote site must have initiated the tunnel in that case. We can confirm this using the output of "show crypto isakmp sa" when you saw both the tunnels up.

yes, it might result in connectivity issues when both primary and backup peer are up. In such a situation, what we need is that the VPN tunnel should be initiated by your router whereas the remote ends should be set to respond only. So on your side, you willl need to have the command

crypto map testing 50 set connection-type originate-only

Also, on the remote sides, we need to ensure they are set to "respond-only". It depends on what devices you are connecting though. Are they Cisco or 3rd party?

The reason for this is that according to your router here, the 1st peer 1.x.x.x in the crypto map is the primary one while the 2nd one 2.x.x.x is the backup one. So, you want the 2nd one to be used only when the first one fails.

But, if the remote site with IP 2.x.x.x were to initiate the VPN tunnel, then our router will end up ha ving 2 tunnels as you said you had a while back. this is the reason why we need the originate-only and respond-only commands.

Hope this is clear. Let me know if something was unclear!!

Regards,

Prapanch

Nagaraja Thanthry Sat, 09/18/2010 - 08:23

Hello,

Can you please try the following:

crypto map testing 50 ipsec-isakmp

set peer 1.x.x.x

set security-association lifetime seconds 300000
set transform-set test
set pfs group2
match address 101

crypto map testing 60 ipsec-isakmp

set peer 2.x.x.x

set security-association lifetime seconds 300000
set transform-set test
set pfs group2
match address 102

Regards,

NT

donnie Sat, 09/18/2010 - 13:50

Hi Prapanch and NT,

i cannot confirm if my partner network would initiate session into my network, hence i would think the orginate-only option may not be suitable.

Can i confirm by having 2 remote peers in my crypto map, this would allow my router to establish SAs with both remote peers concurrently right?

Hence i think it would be better to split the 2 remote peers by having separate seq num to the same crypto map as advised by NT as shown below.

Would this ensure that my router will only connect to 1 remote peer at any one time and i will have redundancy in case the remote peer in seq 50 is unavailable for some reasons? Pls advise.

crypto map testing 50 ipsec-isakmp

set peer 1.x.x.x

set security-association lifetime seconds 300000
set transform-set test
set pfs group2
match address 101

crypto map testing 60 ipsec-isakmp

set peer 2.x.x.x

set security-association lifetime seconds 300000
set transform-set test
set pfs group2
match address 101

For the crypto map with different seq num, can i specify to match the address using the same accesslist 101? Since interesting traffic that result in vpn establishment is found in accesslist 101.

Jitendriya Athavale Sat, 09/18/2010 - 17:27

i am not sure how that would help because since the crypto acl always matches the first one you would end up having the first tunnel work fine but then the backup probably would never work

i think the best bet you have here is the originate-only command, and if i am not wrong i think this command is supported 7.24 or 8 onwards i am not too sure you can check it out, if it takes the command then it is supported

praprama Sat, 09/18/2010 - 22:30

Hey,

This situation again won't help as from the point of the router, it is just overlapping networks for 2 different VPN tunnels. I'm afraid, this will not help in any kind of a failover scenario and will again lead to conflicts and traffic not passing the way we want it to.

The best (and according to me, the ONLY OPTION) we have is to use the configuration you already have with the originate-only config on your end and respond-only on the other end.

Actually, we don't really need to have the respond-only configured on the remote end because when our end is configured as originate-only, it will not respond to any requests to initiate the tunnel from the remote end. I would suggest giving this a shot and see if it works.

Let me know how it goes!!

Regards,

Prapanch

donnie Thu, 10/28/2010 - 19:33

Hi Prapanch,

Apologies for late reply. I am using a cisco 1811 router.

It seem i can't set the following. Pls advise how i can set the originate-only option. Thk you.

"crypto map testing 50 set connection-type originate-only"

Actions

This Discussion