×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

dual wan, dual VTI between two offices

Answered Question
May 17th, 2012
User Badges:

Hello,


We have two offices with two 1841 routers. Each office have two wan links (one ADSL with dialer, one SDSL) with fixed IP.

The adsl link is the default route with failover.

There is only one VTI working properly with the config below (the adsl one). If I remove the route "ip route 0.0.0.0 0.0.0.0 dialer 1 track 1" both VTI are working properly, however all traffic is going to SDSL witch is not the behaviour we would like to get.


Have you any suggestion to get both VTI working with default route to ADSL link ?


Thanks in advance,


Regards,


Olivier

------------------------------------------------

track 1 ip sla 1 reachability

delay down 1 up 1

!

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key XXXXXX address 217.x.x.133 no-xauth

crypto isakmp key YYYYYY address 95.x.x.22 no-xauth

!

!

crypto ipsec transform-set esp-aes128-sha esp-aes esp-sha-hmac

!

crypto ipsec profile vti

set transform-set esp-aes128-sha

!

!

interface Tunnel0

description VTI To boussolebea

ip address 192.168.50.1 255.255.255.0

tunnel source Dialer1

tunnel mode ipsec ipv4

tunnel destination 217.x.x.133

tunnel path-mtu-discovery

tunnel protection ipsec profile vti

!

interface Tunnel1

description VTI To Boussolebea SDSL

ip address 192.168.51.1 255.255.255.0

tunnel source FastEthernet0/1

tunnel mode ipsec ipv4

tunnel destination 95.x.x.22

tunnel path-mtu-discovery

tunnel protection ipsec profile vti

!

interface FastEthernet0/0

description LAN Interface

ip address 192.168.10.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/1

description To SDSL

ip address 62.x.x.10 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

!

interface ATM0/0/0.1 point-to-point

pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface Dialer1

description To ADSL

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

ppp authentication chap callin

ppp chap hostname

ppp chap password 7

!

ip local policy route-map IspSDSL-Redirect

ip local pool PoolVpnAdsl 192.168.60.1 192.168.60.10

ip local pool PoolVpnSdsl 192.168.61.1 192.168.61.10

ip forward-protocol nd

ip http server

ip http access-class 10

ip http authentication local

ip http secure-server

!

!

ip nat inside source route-map IspADSL interface Dialer1 overload

ip nat inside source route-map IspSDSL interface FastEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1 track 1

ip route 0.0.0.0 0.0.0.0 62.x.x.9 10

ip route 192.168.11.0 255.255.255.0 192.168.51.2

ip route 192.168.11.0 255.255.255.0 192.168.50.2 10

!

ip access-list extended Ipsec

permit tcp host 62.x.x.10 eq 500 any

ip access-list extended SSH

permit tcp host 62.x.x.10 eq 22 any

ip access-list extended SSL

permit tcp host 62.x.x.10 eq 443 any

!

ip radius source-interface FastEthernet0/0

ip sla 1

icmp-echo 193.x.x.3 source-interface Dialer1

threshold 60

timeout 1000

ip sla schedule 1 life forever start-time now

logging esm config

access-list 10 permit 192.168.10.0 0.0.0.255

access-list 10 deny   any

access-list 100 permit ip any any

dialer-list 1 protocol ip permit

!

!

!

!

route-map IspSDSL permit 1

match ip address 10

match interface FastEthernet0/1

!

route-map IspADSL permit 1

match ip address 10

match interface Dialer1

!

route-map IspSDSL-Redirect permit 10

match ip address SSL SSH

match interface FastEthernet0/1

set ip next-hop 62.x.x.9

Correct Answer by Kevin P Sheahan about 5 years 3 months ago

Hi Olivier,


Add the following static route...


ip route 95.x.x.22 255.255.255.255


It is so that router stops trying to get to tunnel 1's tunnel destination through the dialer1 link.




Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Kevin P Sheahan Thu, 05/17/2012 - 08:13
User Badges:
  • Bronze, 100 points or more

What makes you believe that the other VTI is not functioning properly? Is the tunnel down or are you just unable to ping the other end?




Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Olivier Joly Thu, 05/17/2012 - 08:59
User Badges:

Dear Kevin,


The command "sh crypto session" give this:


Crypto session current status

Interface: Tunnel1

Session status: DOWN-NEGOTIATING

Peer: 95.X.x.22 port 500

  IKEv1 SA: local 62.x.x.10/500 remote 95.x.x.22/500 Inactive

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

        Active SAs: 0, origin: crypto map


Interface: Tunnel0

Session status: UP-ACTIVE    

Peer: 217.x.x.133 port 500

  IKEv1 SA: local 193.x.x.113/500 remote 217.x.x.133/500 Active

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

        Active SAs: 2, origin: crypto map


If the default route to dialer 1 is removed both are up and active.

Correct Answer
Kevin P Sheahan Thu, 05/17/2012 - 16:28
User Badges:
  • Bronze, 100 points or more

Hi Olivier,


Add the following static route...


ip route 95.x.x.22 255.255.255.255


It is so that router stops trying to get to tunnel 1's tunnel destination through the dialer1 link.




Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Olivier Joly Fri, 05/18/2012 - 05:22
User Badges:

Hi Kevin,


It does the trick !

I added the line : ip route 95.x.x.22 255.255.255.255 62.x.x.9


The two tunnel were working like a charm. I also had to add the following line because there was two session for tunnel 0, I assume by adsl and sdsl:

ip route 217.x.x.133 255.255.255.255 dialer 1


Thank you very much for your help.


Kind regards,


Olivier

Actions

This Discussion