Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Adding backup route with Site-to-Site VPN Tunnel

We've got two 1800 routers connected via IPSEC VPN using a tunnel interface.  The router at the branch office is using a T1  on Serial0/0/0 and we'd like to connect DSL service to Fa0/1 as a backup.

Now, problem I see is that we use static routing.  On the branch router it has a default route pointing to the original Tunnel interface that uses the T1 line.  Then it has several other static routes pointing to the serial interface itself.  Tried an experiment creating floating static routes that would bounce to a second Tunnel interface or the Fa0/1 interface if the first failed, however, I don't think that works correctly.  Tried shutting down the serial interface (wisely scheduling a reload for a couple minutes later), but the second tunnel never came up. 

I'm sure there is a better way of doing this and would appreciate any pointers. 

Thanks!

  • VPN
Everyone's tags (5)
3 REPLIES

Adding backup route with Site-to-Site VPN Tunnel

Hi Ken,

Please read the thread below, there is a solution already has been provided for similar problem.

https://supportforums.cisco.com/message/3652744#3652744

Please feel free to ask question.

Hope that helps.

Thanks

Rizwan Rafeek.

New Member

Re: Adding backup route with Site-to-Site VPN Tunnel

I guess I'm still confused.  That solution seems a little more complex than what I'm trying to do.

Here is what I understand:

1. develop an sla to monitor a connection on the primary interface

2. Configure static default routes: The first points to the default interface and is tracking the sla.  The second goes to the backup interface and has a metric so that it only becomes active should the default fail or should the tracking be interrupted.

Where I get confused is in regards to the VPN Tunnels.  Here's the relevant current config of the main site-to-site router:

crypto isakmp key mycryptokey address IP1.IP1.IP1.IP1

crypto map mymap 30 ipsec-isakmp

set peer IP1.IP1.IP1.IP1

set transform-set ESP-DES-MD5

match address 154

interface TunnelA

ip address 192.168.154.1 255.255.255.252

ip mtu 1476

ip route-cache flow

tunnel source FastEthernet0/1

tunnel destination IP1.IP1.IP1.IP1

crypto map mymap

Here's the config on the branch router:

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key mycryptokey address IP2.IP2.IP2.IP2

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

!

crypto map mymap local-address Serial0/0/0

crypto map mymap 10 ipsec-isakmp

set peer IP2.IP2.IP2.IP2

set transform-set ESP-DES-MD5

match address 199

  Interface TunnelA

ip address 192.168.154.2 255.255.255.252

ip access-group 140 out

ip mtu 1476

ip route-cache flow

tunnel source Serial0/0/0

tunnel destination IP2.IP2.IP2.IP2

crypto map mymap

And the current default route on the branch router is:

ip route 0.0.0.0 0.0.0.0 TunnelA

So I know that what I will eventually need on the branch router is something like this:

ip route 0.0.0.0 0.0.0.0 TunnelA Track 1

ip route 0.0.0.0 0.0.0.0 TunnelB 10

My question is, in regards to using Tunnels, is there anything special I need to do aside from having two Tunnel interfaces (one utilizing the T1 interface and one utilizing the DSL FA0/1 interface) on each end (one the primary, one the secondary) and can I share the same crypto key and crypto map for the two tunnels, or do I need to create separate ones?

Thanks!

Adding backup route with Site-to-Site VPN Tunnel

Hi Ken,

I am sorry for late reply.  I was so busy with things on my plate at my work and in between time try to help out others on Cisco Support community.

Your question below...

"can I share the same crypto key and crypto map for the two tunnels,"

Yes you can use the same key because remote peer's IP is the same for your branch router is concern.

But for your crypto instance name "mymap" can be same however crypto instance or index number must be different, because you would map crypto “mymap” to different public address as source interface. 

"crypto map mymap 20 ipsec-isakmp"

Since tunnelB create a new tunnel to main office, so you have create an additional tunnel interface there as well at main office, on a different subnet to peer with branch office.

Hope that answers your question.

thanks

Rizwan Rafeek

2369
Views
0
Helpful
3
Replies
This widget could not be displayed.