Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Backup VPN connection does not work

Hi expert,

Our customer has three data centers (HK, KW and NT). The VPN connections between each data center are working properly. (HK --> KW, HK-->NT and KW -->NT) 

However, the fail over does not work. e.g. if VPN between HK and NT is down, HK traffic cannot go to alternative VPN connection to NT (i.e. HK --> KW --> NT).

Please let me know how to config the routers to have "resilient" service and what commands are missing.

Below please find the three routers' config files for your reference

rdge

Anita

=========== start of config file

! VPNHK01

!

crypto isakmp policy 10

authentication pre-share

group 2

!

crypto isakmp policy 20

authentication pre-share

group 2

crypto isakmp key bigsecret address 192.168.100.2

crypto isakmp key bigsecret address 192.168.100.6

!

!

crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac

!

crypto map static-crypt 10 ipsec-isakmp

description VPN between HK and NT

set peer 192.168.100.2

set transform-set vpn-test

match address 110

!

crypto map static-crypt1 20 ipsec-isakmp

description VPN between HK and KW

set peer 192.168.100.6

set transform-set vpn-test

match address 110

!

interface FastEthernet0/0

description connect to VPNNT01

ip address 192.168.100.1 255.255.255.252

crypto map static-crypt

!

interface FastEthernet1/0

description connect to VPNKW01

ip address 192.168.100.5 255.255.255.252

crypto map static-crypt1

!

interface FastEthernet1/1

ip address 192.168.200.1 255.255.255.0

!

router ospf 50

network 192.168.200.0 0.0.0.255 area 0

!

access-list 110 permit ip 192.168.200.0 0.0.0.255 192.168.210.0 0.0.0.255

access-list 110 permit ip 192.168.200.0 0.0.0.255 192.168.220.0 0.0.0.255

!

VPNKW01

!

crypto isakmp policy 10

authentication pre-share

group 2

!

crypto isakmp policy 20

authentication pre-share

group 2

crypto isakmp key bigsecret address 192.168.100.5

crypto isakmp key bigsecret address 192.168.100.9

!

crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac

!

crypto map static-crypt1 10 ipsec-isakmp

description VPN between KW and HK

set peer 192.168.100.5

set transform-set vpn-test

match address 120

!

crypto map static-crypt2 20 ipsec-isakmp

description VPN between KW and NT

set peer 192.168.100.9

set transform-set vpn-test

match address 120

!

interface FastEthernet0/0

description connect to VPNHK01

ip address 192.168.100.6 255.255.255.252

crypto map static-crypt1

!

interface FastEthernet1/0

description connect to VPNNT01

ip address 192.168.100.10 255.255.255.252

crypto map static-crypt2

!

interface FastEthernet1/1

  ip address 192.168.220.1 255.255.255.0

!

router ospf 50

network 192.168.220.0 0.0.0.255 area 0

!

access-list 120 permit ip 192.168.220.0 0.0.0.255 192.168.210.0 0.0.0.255

access-list 120 permit ip 192.168.220.0 0.0.0.255 192.168.200.0 0.0.0.255

VPNNT01

!

crypto isakmp policy 10

authentication pre-share

group 2

!

crypto isakmp policy 20

authentication pre-share

group 2

crypto isakmp key bigsecret address 192.168.100.1

crypto isakmp key bigsecret address 192.168.100.10

!

crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac

!

crypto map static-crypt 10 ipsec-isakmp

description VPN between NT and HK

set peer 192.168.100.1

set transform-set vpn-test

match address 130

!

crypto map static-crypt2 20 ipsec-isakmp

description VPN between NT and KW

set peer 192.168.100.10

set transform-set vpn-test

match address 130

!

interface FastEthernet0/0

description connect to VPNHK01

ip address 192.168.100.2 255.255.255.252

crypto map static-crypt

!

interface FastEthernet1/0

description connect to VPNKW01

ip address 192.168.100.9 255.255.255.252

  crypto map static-crypt2

!

interface FastEthernet1/1

ip address 192.168.210.1 255.255.255.0

!

router ospf 50

network 192.168.210.0 0.0.0.255 area 0

!

access-list 130 permit ip 192.168.210.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 130 permit ip 192.168.210.0 0.0.0.255 192.168.220.0 0.0.0.255

!

==== end of config file

159
Views
0
Helpful
0
Replies
CreatePlease to create content