04-10-2012 04:42 AM
Hello there
I want to configure 2 VPN between same router as following:
R1-G0/0<---VPN1-->R2-G0/0
R1-Lo <--VPN2--->R2-Lo0
on this configuration, VPN1 is up, but not VPN2
All IP are routabled and pingable from both sides
Can someone help me ?
Thanks
JP
Solved! Go to Solution.
04-22-2012 04:24 AM
Hey Jean-Paul,
Something like
crypto ipsec profile tunnel1
set transform-set
crypto ipsec profile tunnel2
set transform-set
interface tunnel1
ip address
tunnel source
tunnel destination
tunnel protection ipsec profile tunnel1
interface tunnel2
ip address
tunnel source
tunnel destination
tunnel protection ipsec profile tunnel2
And of course the same thing rinverted on the remote device
04-10-2012 09:27 AM
Hi,
To my undestanding configuring having 2 L2L VPNs with same peer IP addresses is impossible. Or my memory was just from some equipment that doesn't support it?
Anyway it does seem needles to have 2 separate VPN connections if they both share the peer addresses.
Why have you configured 2 L2L VPN connections between the same 2 devices?
- Jouni
04-10-2012 09:42 PM
hi Jouni
actually the first vpn is working well. But I need to move traffic to second vpn to avoid disturb traffic (or disturb less)
once the second vpn is ok, then I can remove the first one.
if you hava an idea.
Thanks
JP
04-11-2012 03:56 AM
hi again jouni
for your information, each vpn has its own peer and own interface.
on R1, i have
C#sh crypto session
Crypto session current status
Interface: GigabitEthernet0/0
Session status: UP-ACTIVE
Peer:
IKEv1 SA: local
IPSEC FLOW: permit 47 host
Active SAs: 2, origin: crypto map
Interface: Loopback1
Session status: DOWN
Peer:
IPSEC FLOW: permit 47 host
Active SAs: 0, origin: crypto map
C#
JP
04-22-2012 02:19 AM
If I understand:
R1-G0/0<---VPN1-->R2-G0/0
R1-Lo <--VPN2--->R2-Lo0
Assuming you have only 1 egress interface [ gig0/0] then it's something you can't achieve by using crypto maps:
1- Crypto map is an egress feature that get configured on the egress interface
2- Crypto maps are not working on loopback interfaces [ not supported]
3- A specific crypto map cannot have multiple local-address
If you want make this work then you should have to set of tunnel interfaces with tunnel protection.
Cheers,
Olivier
CCIE Security #20306
04-22-2012 03:42 AM
I understand
is there any sample configuration or link using tunnel protection you can recommand me ?
Thanks
JP
04-22-2012 04:24 AM
Hey Jean-Paul,
Something like
crypto ipsec profile tunnel1
set transform-set
crypto ipsec profile tunnel2
set transform-set
interface tunnel1
ip address
tunnel source
tunnel destination
tunnel protection ipsec profile tunnel1
interface tunnel2
ip address
tunnel source
tunnel destination
tunnel protection ipsec profile tunnel2
And of course the same thing rinverted on the remote device
04-23-2012 03:25 AM
Hello
Thanks for your assistance.
Actually i use crypto map for the first vpn, which is up/up
I configured then tunnel protection on second vpn and aply 2 different eigrp peer in these tunnel. both vpn are up.
RT1#sh crypto session
Crypto session current status
Interface: GigabitEthernet0/0.1207
Session status: UP-ACTIVE
Peer:
IKEv1 SA: local
IPSEC FLOW: permit 47 host
Active SAs: 2, origin: crypto map
Interface: Tunnel20
Session status: UP-ACTIVE
Peer: 37.200.104.2 port 500
IKEv1 SA: local
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
RT1#
RT1#sh ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.50.1.2 Tu10 10 3d05h 338 2028 0 368
EIGRP-IPv4 Neighbors for AS(2)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.50.1.6 Tu20 10 00:25:53 339 2034 0 2
RT1#
As SAME policies are applied on eigrp session on both side, we should receive same route on both sessions. At this state on receive only routes from tunnel10.
RT1#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 223.29.159.46 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 20 subnets, 5 masks
D EX 10.23.1.248/32 [170/26882560] via 10.50.1.2, 01:36:40, Tunnel10
D EX 10.23.5.0/24 [170/26882560] via 10.50.1.2, 01:36:40, Tunnel10
172.20.0.0/16 is variably subnetted, 3 subnets, 2 masks
D EX 172.20.2.0/24 [170/26882560] via 10.50.1.2, 01:36:40, Tunnel10
RT1#
So mi questions:
* why do I receive only prefixes from tunnel10
* does the second tunnel accept also multicast packet (or do i need also to add "ip pim sparse-mode") ?
Thanks for answer
JP
04-23-2012 04:47 AM
Just a sanity check.
U can ping 10.50.1.6 across the vpn right?
EIGRP is properly configured on the remote end?
Can you share the config?
04-24-2012 04:30 AM
hello
here is config for RT1.
RT1
!
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp policy 20
encr 3des
authentication pre-share
crypto isakmp key key1 address
crypto isakmp key key2 address
!
!
crypto ipsec transform-set myincset esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set TSC esp-3des esp-sha-hmac
!
crypto ipsec profile PC
set transform-set TSC
!
!
crypto ipsec profile myincprofile
!
!
!
crypto map myincmap 10 ipsec-isakmp
set peer
set transform-set myincset
match address 100
!
!
interface Tunnel10
ip address 10.50.1.1 255.255.255.252
ip pim sparse-mode
tunnel source GigabitEthernet0/0
tunnel destination
!
interface Tunnel20
ip address 10.50.1.5 255.255.255.252
ip pim sparse-mode
tunnel source GigabitEthernet0/2
tunnel mode ipsec ipv4
tunnel destination
tunnel protection ipsec profile PC
!
!
interface GigabitEthernet0/0
ip address
crypto map myincmap
!
!
interface GigabitEthernet0/2
ip address
!
!
access-list 100 permit gre host
!
I can ping on both side subnet 10.50.1.0/30 and 10.50.1.4/30.
both VPN are UP:
RT1#sh crypto session
Crypto session current status
Interface: GigabitEthernet0/0
Session status: UP-ACTIVE
Peer:
IKEv1 SA: local
IPSEC FLOW: permit 47 host
Active SAs: 2, origin: crypto map
Interface: Tunnel20
Session status: UP-ACTIVE
Peer:
IKEv1 SA: local
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
RT1#
and following eigrp 1 routing table:
D EX 10.23.1.248/32 [170/26882560] via 10.50.1.2, 05:11:27, Tunnel10
D EX 10.23.5.0/24 [170/26882560] via 10.50.1.2, 05:11:27, Tunnel10
172.20.0.0/16 is variably subnetted, 3 subnets, 2 masks
D EX 172.20.2.0/24 [170/26882560] via 10.50.1.2, 05:11:27, Tunnel10
To switch from tunnel10 to tunnel20, i added low bw on tunnel10 both side. SO on both side all prefixes are switched to tunnel20.
should it be a good configuration ?
Thanks
JP
04-26-2012 01:04 AM
Crypto config looks good.
So basically you have a different EIGRP metric between interfaces. U need to be make sure the metric is the same if you want equal load balancing.
If you want unequal load balancing then you could use the following config:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009437d.shtml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide