09-22-2015 02:19 PM - edited 02-21-2020 08:28 PM
Hello there... I have a scenario that we are trying to work around but have been unable to do so.
I have 54 Calamp Vanguard 3000 wireless routers in the field for a project. These devices utilize the FreeS/Wan VPN tool to connect. Each of these devices connects to a Cisco 2911/K9 router at the customer location via IPSec VPN tunnels, one is over a DSL connection and the other is over a cellular link through AT&T. Each Calamp has two tunnels connecting to the Cisco 2911 router, one is the primary connection (DSL) and the other is for redundancy/failover (Cellular). The problem I am having is this:
1. Only one IPsec tunnel will connect. The second tunnel, although connecting via different network (Cellular vs. DSL), will not establish because both tunnels are terminating in the same remote subnet (192.168.111.0/24) on the Cisco router. The Calamp gives the error "Unable to route..route already in use for ***". Is there a workaround for this? Can I create virtual interfaces on the WAN interface for the cellular links and separate it that way? Then, route from the virtual interfaces to the inside interface 192.168.111.1/24?
2. I basically need to create another LAN interface with a different subnet ,192.168.115.0/24 and then route that interface to the 192.168.111.1 interface. This way I can create the redundant VPN tunnels in the Calamps to terminate to 192.168.115.0/24 and not 192.168.111.0/24. I just need to be able to route 192.168.115.0/24 to 192.168.111.0/24 and vice versa.
3. Are there any issues you can see with this setup. Is this even possible? Below is an example of the configuration from the Cisco 2911 router:
Some of the information has been removed for security purposes. Please contact me if there are any questions.
User Access Verification
PS1RTR#show run
Building configuration...
Current configuration : 35704 bytes
!
version 15.4
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname PS1RTR
!
boot-start-marker
boot-end-marker
!
!
logging buffered 1000000
!
aaa new-model
!
!
aaa authentication login default local none
aaa authentication login sslvpn local
!
!
!
!
!
aaa session-id common
clock timezone CST -6 0
clock summer-time CDT recurring
!
!
!
!
!
!
!
!
!
!
!
ip vrf Cell
rd 123:4
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
redundancy
!
!
!
!
!
track 1 ip sla 1 reachability
delay down 1 up 2
!
ip ssh version 2
!
no crypto xauth GigabitEthernet0/2
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 20
encr aes 256
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 30
encr aes 256
hash sha256
authentication pre-share
group 2
"Key information removed for security purposes"
!
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 periodic
crypto isakmp nat keepalive 25
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set default esp-aes esp-sha-hmac
crypto ipsec transform-set UNO esp-aes 256 esp-md5-hmac
mode tunnel
crypto ipsec transform-set DOS esp-aes esp-sha-hmac
mode tunnel
crypto ipsec transform-set TRES esp-aes esp-md5-hmac
mode tunnel
crypto ipsec transform-set CUATRO esp-aes 192 esp-sha-hmac
mode tunnel
crypto ipsec transform-set CINCO esp-aes 192 esp-md5-hmac
mode tunnel
crypto ipsec transform-set SEIS esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set SIETE esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set OCHO esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set NUEVE esp-des esp-sha-hmac
mode tunnel
crypto ipsec transform-set DIEZ esp-des esp-md5-hmac
mode tunnel
crypto ipsec transform-set test esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
!
!
!
crypto map CEL_CM 100 ipsec-isakmp
set peer 166.131.45.234
set transform-set UNO DOS TRES SEIS SIETE OCHO
match address PS->MUD_130
!
crypto map DSL_CM 100 ipsec-isakmp
set peer 166.131.45.234
set transform-set UNO DOS TRES SEIS SIETE OCHO
match address PS->MUD_130
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description LAN_111
ip address 192.168.111.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description DSL
ip address 20.20.20.20 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map DSL_CM
!
interface GigabitEthernet0/2
description CEL
mtu 1440
ip address 10.10.10.10 255.255.255.0
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
crypto map CEL_TEST
!
!
router eigrp 1
metric maximum-hops 2
metric weights 0 0 0 1 0 0
network 192.168.111.0
passive-interface default
!
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map NONAT-CEL interface GigabitEthernet0/2 overload
ip nat inside source route-map NONAT-DSL interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 "DSL Next Hop Router" 2 track 1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/2 5
!
ip access-list extended BACK1
permit ip host "DSL WAN Interface" any
ip access-list extended BACK2
permit ip host "Cellular WAN Interface" any
ip access-list extended MGMT
permit ip 192.168.111.0 0.0.0.255 any
permit ip 192.168.120.0 0.0.1.255 any
permit ip any any
ip access-list extended NONAT
deny ip 192.168.111.0 0.0.0.255 192.168.120.0 0.0.1.255
permit ip any any
i
ip access-list extended PS->MUD_130
permit ip 192.168.111.0 0.0.0.255 192.168.120.0 0.0.0.7
!
!
ip prefix-list noCALAMP seq 5 permit 192.168.111.0/24
ip prefix-list noCALAMP seq 10 deny 192.168.120.0/23 le 32
ip sla 1
icmp-echo "DSL Next-Hop" source-ip "DSL Outside Interface"
threshold 3000
timeout 3000
frequency 3
ip sla schedule 1 life forever start-time now
!
ip sla 2
icmp-echo 192.168.120.1 source-ip 192.168.111.1
frequency 18
!
ip sla group schedule 1 2 schedule-period 54 frequency 18 start-time now life forever
!
route-map NONAT-DSL permit 10
match ip address NONAT
match interface GigabitEthernet0/1
!
route-map NONAT-CEL permit 10
match ip address NONAT
match interface GigabitEthernet0/2
!
!
!
!
!
control-plane
scheduler allocate 20000 1000
ntp server 128.138.140.44
!
!
end
09-23-2015 03:22 PM
If I am correct in understanding your post you are trying to establish two IPsec tunnels from the same source device to the same destination device (with each tunnel using a different ISP transport). In my experience it does not work to try to have two IPsec tunnels from the same source device to the same destination device.
HTH
Rick
09-26-2018 01:04 PM
Can you have one IPSec tunnel with two GRE tunnels going through it?
09-26-2018 08:34 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: