04-19-2006 02:33 AM - edited 02-21-2020 02:22 PM
Hello,
I'm in this situation:
- A VPN 3000 at the core.
- Spokes are Cisco IPSEC Router on internet.
Some of these routers have two Internet Gateways provided by two different ISP.
The Second gateway is used as backup of the First internet Gateway.
When Spoke Router go to Internet throught the First gateway it has a public address IPADD_1 in the address space range provided by First ISP (using static NAT).
When Spoke Router go to Internet throught the Second gateway it has a public address IPADD_2 in the address space range provided by Second ISP (using static NAT).
I have configured VPN with two LAN-to-LAN connections using IPADD_1 and IPADD_2 as endpoints; but i have problems when set the same private network reachable by both IPSEC Tunnels.
Exactly, it happen the following:
when i use first ISP, all works fine beecause the first LAN-to-LAN connection is matched on VPN.
When the first ISP goes down, the spoke try to use the Second ISP. But VPN second LAN-to-LAN connection doesn't come up (unless i manually disable first LAN-to-LAN connection). I have tried NAT configuration of private networks to differetiate destination of LAN-to-LAN connections. But it works only for traffic from spoke to Core.
Somone have a suggestion ?
Thank you.
04-19-2006 02:44 AM
On the Hub location this should be the configuration
crypto map test 10 ipsec-isakmp
match address 100
set transform-set test
set peer
set peer
crypto isakmp keepalive 10
So if the first peer is not reachable, DPDs will help form with the 2nd peer. Ensure keepalives are present at both locations.
04-19-2006 07:09 AM
... the problem is etherogeneous type of devices.
VPN conentrators are not IOS router and Dead Peer Detection (i think) work only with a couple IPSEC IOS peers.
I'm agree ...
with VPN to VPN
or
with IOS to IOS
i'm able to manage backup peers (and paths).
but VPN to IOS ???
Thank you.
gdp
04-19-2006 11:10 AM
I've been trying to read up on vpn backup solutions and would like to figure out a way to learn routes through my vpn and then use that vpn to get to that network. Any sugestions?
Patrick
04-19-2006 08:44 PM
Patrick
Did you check ipsec Reverse route injection ? Or do you want to check the remote network's health ? Then probably you can do a VTI and advertise the remote LAN over the tunnel interface.
Let me know if iam off the mark.
04-19-2006 11:08 PM
I was thinking that was my answer but I haven't done any VTI ipsec tunnels yet and was going to spend some time this weekend working with that idea. Right now my client has a fairly large vpn network with a product line called Sonicwalls which have been great for them because of there centralized management. But there up time is terrible. I was trying to find out what the full capabilites of the ASA/pix 7.x software was capable of. I really would like to put those at the edge instead of a router connected to the internet with a firewall feature set.
Has anyone used the ASA/pix 7.0 in this manner are they capable of doing vpn's like the VTI links with the ability to run ospf over the VPN tunnels.
Appreciate any answers more questions to think about etc.
04-20-2006 12:10 AM
Something like this. Unicast OSPF over IPSec VPN tunnel ?
04-19-2006 08:48 PM
I am not very much aware of vpn concentrators but i think they do allow for dead peer detection. It will be well worth a try and i think it should work. Let me know how it goes.
04-19-2006 11:52 PM
On Spoke Router i configure:
crypto isakmp keepalive 10
On hub VPN 3000 on
"Configuration | User Management | Groups" menu
i select the groups related to LAN-to-LAN connections and check IKE Keepalives.
Unfortunataly doesn't work.
It works only if i manually Disable Primary LAN-to-LAN Connection on VPN 3000.
Regards.
gdp
04-20-2006 12:01 AM
Any logs on the router or the vpn concentrator ?
04-20-2006 04:49 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: