Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2792
Views
0
Helpful
3
Replies

Multiple IPSec Tunnels into one Destination LAN

jmyers1973
Level 1
Level 1

‎09-22-2015 02:19 PM - edited ‎02-21-2020 08:28 PM

Hello there... I have a scenario that we are trying to work around but have been unable to do so.  

 

I have 54 Calamp Vanguard 3000 wireless routers in the field for a project.  These devices utilize the FreeS/Wan VPN tool to connect.  Each of these devices connects to a Cisco 2911/K9 router at the customer location via IPSec VPN tunnels, one is over a DSL connection and the other is over a cellular link through AT&T.  Each Calamp has two tunnels connecting to the Cisco 2911 router, one is the primary connection (DSL) and the other is for redundancy/failover (Cellular).  The problem I am having is this:

1.  Only one IPsec tunnel will connect.  The second tunnel, although connecting via different network (Cellular vs. DSL), will not establish because both tunnels are terminating in the same remote subnet (192.168.111.0/24) on the Cisco router.  The Calamp gives the error "Unable to route..route already in use for ***".  Is there a workaround for this?  Can I create virtual interfaces on the WAN interface for the cellular links and separate it that way?  Then, route from the virtual interfaces to the inside interface 192.168.111.1/24?  

2.  I basically need to create another LAN interface with a different subnet ,192.168.115.0/24 and then route that interface to the 192.168.111.1 interface.  This way I can create the redundant VPN tunnels in the Calamps to terminate to 192.168.115.0/24 and not 192.168.111.0/24.  I just need to be able to route 192.168.115.0/24 to 192.168.111.0/24 and vice versa.  

3.  Are there any issues you can see with this setup.  Is this even possible?  Below is an example of the configuration from the Cisco 2911 router:

Some of the information has been removed for security purposes.  Please contact me if there are any questions. 

 

User Access Verification

PS1RTR#show run
Building configuration...

Current configuration : 35704 bytes
!
version 15.4
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname PS1RTR
!
boot-start-marker
boot-end-marker
!
!
logging buffered 1000000
!
aaa new-model
!
!
aaa authentication login default local none
aaa authentication login sslvpn local
!
!
!
!
!
aaa session-id common
clock timezone CST -6 0
clock summer-time CDT recurring
!
!
!
!
!
!
!
!
!
!
!
ip vrf Cell
 rd 123:4
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
redundancy
!
!
!
!
!
track 1 ip sla 1 reachability
 delay down 1 up 2
!
ip ssh version 2
!
no crypto xauth GigabitEthernet0/2
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr aes 256
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 30
 encr aes 256
 hash sha256
 authentication pre-share
 group 2

"Key information removed for security purposes"

!

crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 periodic
crypto isakmp nat keepalive 25
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set default esp-aes esp-sha-hmac
crypto ipsec transform-set UNO esp-aes 256 esp-md5-hmac
 mode tunnel
crypto ipsec transform-set DOS esp-aes esp-sha-hmac
 mode tunnel
crypto ipsec transform-set TRES esp-aes esp-md5-hmac
 mode tunnel
crypto ipsec transform-set CUATRO esp-aes 192 esp-sha-hmac
 mode tunnel
crypto ipsec transform-set CINCO esp-aes 192 esp-md5-hmac
 mode tunnel
crypto ipsec transform-set SEIS esp-aes 256 esp-sha-hmac
 mode tunnel
crypto ipsec transform-set SIETE esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set OCHO esp-3des esp-md5-hmac
 mode tunnel
crypto ipsec transform-set NUEVE esp-des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set DIEZ esp-des esp-md5-hmac
 mode tunnel
crypto ipsec transform-set test esp-aes 256 esp-sha-hmac
 mode tunnel
crypto ipsec df-bit clear
!
!
!
crypto map CEL_CM 100 ipsec-isakmp
 set peer 166.131.45.234
 set transform-set UNO DOS TRES SEIS SIETE OCHO
 match address PS->MUD_130
!
crypto map DSL_CM 100 ipsec-isakmp
 set peer 166.131.45.234
 set transform-set UNO DOS TRES SEIS SIETE OCHO
 match address PS->MUD_130
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description LAN_111
 ip address 192.168.111.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description DSL
 ip address 20.20.20.20 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map DSL_CM
!
interface GigabitEthernet0/2
 description CEL
 mtu 1440
 ip address 10.10.10.10 255.255.255.0
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 no ip route-cache
 duplex auto
 speed auto
 crypto map CEL_TEST
!
!
router eigrp 1
 metric maximum-hops 2
 metric weights 0 0 0 1 0 0
 network 192.168.111.0
 passive-interface default
!
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map NONAT-CEL interface GigabitEthernet0/2 overload
ip nat inside source route-map NONAT-DSL interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 "DSL Next Hop Router" 2 track 1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/2 5
!
ip access-list extended BACK1
 permit ip host "DSL WAN Interface" any
ip access-list extended BACK2
 permit ip host "Cellular WAN Interface" any
ip access-list extended MGMT
 permit ip 192.168.111.0 0.0.0.255 any
 permit ip 192.168.120.0 0.0.1.255 any
  permit ip any any
ip access-list extended NONAT
 deny   ip 192.168.111.0 0.0.0.255 192.168.120.0 0.0.1.255
 permit ip any any
i

ip access-list extended PS->MUD_130
 permit ip 192.168.111.0 0.0.0.255 192.168.120.0 0.0.0.7
!
!
ip prefix-list noCALAMP seq 5 permit 192.168.111.0/24
ip prefix-list noCALAMP seq 10 deny 192.168.120.0/23 le 32
ip sla 1
 icmp-echo "DSL Next-Hop" source-ip "DSL Outside Interface"
 threshold 3000
 timeout 3000
 frequency 3
ip sla schedule 1 life forever start-time now

!

ip sla 2
 icmp-echo 192.168.120.1 source-ip 192.168.111.1
 frequency 18
!
ip sla group schedule 1 2 schedule-period 54 frequency 18 start-time now life forever
!
route-map NONAT-DSL permit 10
 match ip address NONAT
 match interface GigabitEthernet0/1
!
route-map NONAT-CEL permit 10
 match ip address NONAT
 match interface GigabitEthernet0/2
!
!
!
!
!
control-plane

scheduler allocate 20000 1000
ntp server 128.138.140.44
!
!

end

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎09-23-2015 03:22 PM

If I am correct in understanding your post you are trying to establish two IPsec tunnels from the same source device to the same destination device (with each tunnel using a different ISP transport). In my experience it does not work to try to have two IPsec tunnels from the same source device to the same destination device.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Alex Pfeil
Level 7
Level 7
In response to Richard Burts

‎09-26-2018 01:04 PM

Can you have one IPSec tunnel with two GRE tunnels going through it?

0 Helpful

Alex Pfeil
Level 7
Level 7
In response to Alex Pfeil

‎09-26-2018 08:34 PM

I tested having 1 IPSec tunnel between one ASA and one router.  I then had 4 GRE tunnels between a headend router and two routers on the other side.

 

 

Preview file
12 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents