Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
476
Views
0
Helpful
3
Replies

connected to 2 remote peers in site to site vpn

donnie
Level 1
Level 1

‎11-02-2010 07:05 AM

Hi all,

I have a cisco 1841 router which is connected to a partner site via site to site vpn.

Our partner has given us ip addresses of 2 remote peers that we can use to establish the site to site vpn for backup purpose.

On one occassion, our router was connected to 2 remote peers and it seem to cause our connection to fail. I removed connection to 1 of the remote peer and it works fine after that. Below is a portion of the router config showing phase1 and phase2 config.

Someone suggested using "crypto map testing 50 set connection-type originate-only" so as to ensure that it will only connect to 1 peer at a time but this seem to be available in asa firewall and not cisco 1800 series routers. Pls advise how i can prevent connection to 2 remote peers at the same time while still have the option of redundancy in case 1 of the remote peer fail. Thks in advance.

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key yyyyyyyy address 1.x.x.x

crypto isakmp key yyyyyyyy address 2.x.x.x
crypto isakmp keepalive 10 3
!
!
crypto ipsec transform-set test esp-3des esp-sha-hmac
!
crypto map testing 50 ipsec-isakmp
set peer 1.x.x.x

set peer 2.x.x.x
set security-association lifetime seconds 300000
set transform-set test
set pfs group2
match address 101

Labels:
0 Helpful
3 Replies 3

Atul Singh
Level 1
Level 1

‎11-02-2010 09:06 AM

Hi,

You can try putting a default keyword at the end of one of "set peer". For example "set peer 1.x.x.x default". As far as I can think, it will work in situation when tunnel is initiated from your end.

Thnx

0 Helpful

donnie
Level 1
Level 1
In response to Atul Singh

‎11-02-2010 07:20 PM

Hi Atul,

In my previous experience, when i do a "show crypto isakmp sa" i can see that one vpn tunnel connection is initiated by my end while the other is initiated by the remote end. Hence, how do i prevent the remote end(my company's partner) from initiating the vpn tunnel using configuration on the cisco 1841 on my end. All connections will be initiated from my end since all services required are hosted on the remote end. Pls advise. THks in advance.

0 Helpful

Atul Singh
Level 1
Level 1
In response to donnie

‎11-04-2010 12:26 PM 

You are right in saying that both tunnel can be formed if initiated from the other side. The Default keyword 
just makes it the first one to be tried during negotiation if tunnel with none 
of the peers exist.
So if two tunnels are made, then the logic to decide which peer to send it to depends on whichever peer last 
encrypted traffic was sent. 

I dont really see any problem in that unless the the peers are firewalls and there is an asymmetric routing as 
firewalls keep track of the states. What I mean is what if you are sending to the PEER1 and routing on the 
others site makes the reply come from PEER2. It wont be a problem on your side but might be a problem on the 
other site.

One solution is to make the other site never initiate the tunnel by using dynamic crypto maps.

Message was edited by: Atul Singh

0 Helpful
Customers Also Viewed These Support Documents