cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3295
Views
0
Helpful
7
Replies

2 VPN Tunnels between 2 devices on separate links

femi.agboade
Level 1
Level 1

Hello,

I have a 2811 connected to two different ISPs, implying I have 2 separate interfaces for both links. I initially setup a VPN tunnel to a 3rd party remote site on one of the links/interfaces. I am now required to setup an additonal VPN tunnel to the same remote site on the other interface/link. When I finish the config and run tests, I get an error saying that the crypto map is not applied on the correct interface and that the peer is being routed through a non-crypto map interface.

One thing I would like to know is if it is possible to configure the router to establish these two tunnels on the different links/interfaces to the same peer. Please note that the first VPN tunnel is still active, but the other one has just refused to come up. Please see the snippets of my router config below:

crypto ipsec transform-set ABCD esp-3des esp-md5-hmac

!

crypto isakmp policy 4

encr 3des

hash md5

authentication pre-share

group 5

!

crypto isakmp policy 5

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 6

encr 3des

authentication pre-share

group 2

crypto isakmp key 123key address x.x.130.130

!

crypto map SDM_CMAP_1 3 ipsec-isakmp

description VPN Tunnel to ABCD on x.x.130.130

set peer x.x.130.130

set transform-set ABCD

set pfs group5

match address ABCD

!

crypto map SDM_CMAP_2 1 ipsec-isakmp

description description PROD VPN Tunnel to ABCD

set peer x.x.130.130

set transform-set ABCD

set pfs group5

match address ABCD_PROD

!

!

interface FastEthernet0/1

description ISP1 WAN INTERFACE$ETH-WAN$

ip address a.a.42.66 255.255.255.252

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

auto discovery qos

crypto map SDM_CMAP_1

!

!

interface FastEthernet0/2/0

description ISP2_WAN_INTERFACE

ip address y.y.12.94 255.255.255.192

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

auto discovery qos

crypto map SDM_CMAP_2

!

ip access-list extended ABCD

permit ip host 172.30.50.2 host x.x.130.138

ip access-list extended ABCD_PROD

permit ip host 172.19.205.31 host x.x.130.134

!

ip route 0.0.0.0 0.0.0.0 a.a.42.65

So its the tunnel running on ISP1 that is fine while the tunnel on ISP2 is not coming up.

While pasting this though, I just realized there is no default route for ISP2, could this be the problem and would adding another default route not create some sort of loop?

Regards,

Femi

1 Accepted Solution

Accepted Solutions

Femi,

You don't NEED to put both ISPs into VRF, uless I'm not seeing something it's not require in your case.

But anways for ipsec config check Nico's cheat sheet:

https://supportforums.cisco.com/docs/DOC-13524

Pay special attention around keyrings.

You will notice that keyrings are defined per front VRF.

Also note that "vrf" statment in isakmp profile is indicating where the clear text packets are, typically this should be same VRF as your LAN interface.

HTH,

Marcin

View solution in original post

7 Replies 7

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Femi,

I don't want to overload you with information, but what we typically do in scenarios like this is to use separete VRFs for each ISP (the primary ISP can still be in global VRF).

I.e. you would have second WAN ISP in a separate VRF, this would allow you to also have a default route specific to that VRF/ISP.

Also if both sides are Cisco, I'd highly recommand using VTI solution rather than crypto maps - crypto maps are legacy configuration we're advising people to move away from them wenever possible.

M.

Hello Marcin,

Thanks for the feedback.

So i quickly went online to check what VRF meant, not familiar with the term or how it works. I am willing to try it out, if you can just give me some pointers on what to do. An example config would be ideal.

As regards VTI, not sure how this works as well but will explore same. Moreover, we will be introducing an ASA on the network to handle all firewalling and VPN config setup soon.

So please help with a sample config to handle the VRF suggestion.

Regards,

Femi

Hello Marcin,

I have tried 2 different VRF sample configs but none has worked. The one that seemed closest to work is stated below:

ip vrf NI1

rd 100:1

route-target export 100:1

route-target import 100:1

!

ip vrf NI2

rd 101:1

route-target export 101:1

route-target import 101:1

!

crypto keyring NI1

  pre-shared-key address 1.58.130.130 key xxxxx

crypto keyring NI2

  pre-shared-key address 1.58.130.130 key xxxxx

!

crypto isakmp policy 4

encr 3des

hash md5

authentication pre-share

group 5

!

crypto isakmp policy 5

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 6

encr 3des

authentication pre-share

group 2

!

crypto isakmp profile NI1

vrf NI1

keyring NI1

match identity address 1.58.130.130 255.255.255.255

!

crypto isakmp profile NI2

vrf NI2

keyring NI2

match identity address 1.58.130.130 255.255.255.255

!

crypto ipsec transform-set NI esp-3des esp-md5-hmac

!

ip access-list extended NI1

permit ip host 172.30.50.2 host 1.58.130.138

!

ip access-list extended NI2

permit ip host 172.19.205.31 host 1.58.130.134

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description VPN Tunnel to NI1

set peer 1.58.130.130

set transform-set NI

set pfs group5

match address NI1

!

crypto map SDM_CMAP_2 1 ipsec-isakmp

description PROD VPN Tunnel to NI2

set peer 1.58.130.130

set transform-set NI

set pfs group5

match address NI2

!

!

interface FastEthernet0/1

ip address 6.173.42.66 255.255.255.252

crypto map SDM_CMAP_1

!

interface FastEthernet0/2/0

ip address 8.248.12.94 255.255.255.192

crypto map SDM_CMAP_2

!

!

ip route 0.0.0.0 0.0.0.0 62.173.42.65

ip route 1.58.130.130 255.255.255.255 6.173.42.65

ip route 1.58.130.130 255.255.255.255 8.248.12.65

ip route vrf NI1 1.58.130.138 255.255.255.255 6.173.42.65 global

ip route vrf NI2 1.58.130.134 255.255.255.255 8.248.12.65 global

!

Note, i still have the default route set, without it, my internet users on the LAN segment have no internet access.

Can you help review and point out where i may be going off?

Thanks.

Regards,

Femi

Femi,

You don't NEED to put both ISPs into VRF, uless I'm not seeing something it's not require in your case.

But anways for ipsec config check Nico's cheat sheet:

https://supportforums.cisco.com/docs/DOC-13524

Pay special attention around keyrings.

You will notice that keyrings are defined per front VRF.

Also note that "vrf" statment in isakmp profile is indicating where the clear text packets are, typically this should be same VRF as your LAN interface.

HTH,

Marcin

Hello Marcin,

You say I dont need to put both ISPs into VRF, what do you reckon I do? Could you take a look at this link below, I just posted this today after I didnt make any progress still:

https://supportforums.cisco.com/message/3649920#3649920

Thanks for the link to the cheat sheet, I had read through and its one of the references I used for the commands I stated above. Will go through again and compare with what I posted.

Regards,

Femi

Hello Marcin,

When you said I didnt need to put both ISPs into VRF, i assume you meant that I only needed to put on f the ISPs into VRF, specifically the other ISP I was trying to establish a new VPN connection over?

I did read the cheat sheet thoroughly and also went through some other documents. However, I still cound not get out of the router as the router kept complaining about routing issues:

1. The peer must be routed through the crypto map interface. The following peer(s) are  routed through non-crypto map interface - a.b.130.130

2. The tunnel traffic destination must be routed through the crypto map interface. The following destinations are routed through non-crypto map interface - a.b.130.134

Below is the config I applied but I didnt get traffic out of the router still to even attempt to establish a connection:

ip vrf PROD_INTCON

rd 100:1

route-target export 100:1

route-target import 100:1

!

ip vrf ISP2

rd 101:1

route-target export 101:1

route-target import 101:1

!

!

crypto keyring NI2-keyring vrf ISP2

  pre-shared-key address a.b.130.130 key xxxxx

!

crypto isakmp policy 4

encr 3des

hash md5

authentication pre-share

group 5

!

crypto isakmp policy 5

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 6

encr 3des

authentication pre-share

group 2

!

crypto isakmp profile NI2-profile

vrf PROD_INTCON

keyring NI2-keyring

match identity address a.b.130.130 255.255.255.255 ISP2

isakmp authorization list default

!

crypto ipsec transform-set NI2set esp-3des esp-md5-hmac

!

crypto map SDM_CMAP_2 1 ipsec-isakmp

description PROD VPN Tunnel to NI2

set peer a.b.130.130

set transform-set NI2set

set pfs group5

set isakmp-profile NI2-profile

match address NI2_ACL

reverse-route

!

!

interface FastEthernet0/2/0

ip vrf forwarding ISP2

ip address z.y.12.94 255.255.255.192

crypto map SDM_CMAP_2

!

!

interface FastEthernet0/2/1.603

description PROD_INTCON_ZONE

encapsulation dot1Q 603

ip vrf forwarding PROD_INTCON

ip address 172.19.205.1 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

!

!

ip route vrf ISP2 0.0.0.0 0.0.0.0 z.y.12.65

ip route vrf PROD_INTCON a.b.130.134 255.255.255.255 FastEthernet0/2/0 z.y.12.65

!

ip access-list extended NI2_ACL

permit ip host 172.19.205.31 host a.b.130.134

!

Hello Marcin,

This is just to confirm that my last post config worked just fine. The problem was some security setting which didnt allow me generate packets with source IP from the router but the moment i setup the system with that source IP and attempted to connect to the destination host, the tunnel got formed.

Thanks for all the help, IP VRF does sound a very inetersting technology to work with.

Cheers.

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: