Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1300
Views
0
Helpful
1
Replies

Dual IPSEC Tunnel - With IKE & Without IKE

tckoon
Level 1
Level 1

‎12-08-2003 03:29 AM - edited ‎02-21-2020 12:54 PM

Hi,

R1 have one interface & R2 have 2 interfaces, all interface are accessible from Internet.

Curently managed to build IPSEC between R1 & R1 on inteface one.

For redundancy I would like to build dual tunnel between 2 sites. It mean router R1 cryptom map will have two peers to different interface IP.

Will it work for both manual IPSEC and IKE mode ? or it just work for IKE only ?

I try on the manual IPSEC, it does not work and error message of duplicate sa appear.

Thanks

ROUTER 1

----------

crypto map Node15 21 ipsec-manual

set peer 203.92.2.A

set session-key inbound esp 303 cipher xxxxx authenticator xxxxx

set session-key outbound esp 302 cipher xxxxx authenticator xxxxx

set transform-set ESP_md5_des

match address 121

crypto map Node15 22 ipsec-manual

set peer 203.92.2.B

set session-key inbound esp 403 cipher xxxxx authenticator xxxxxx

set session-key outbound esp 402 cipher xxxxx authenticator xxxxx

set transform-set ESP_md5_des

match address 121

interface fas0/0

cypto map Node15

ROUTER 2

------------

crypto map Node16 21 ipsec-manual

set peer 203.92.1.A

set session-key inbound esp 302 cipher xxxxx authenticator xxxxx

set session-key outbound esp 303 cipher xxxxxx authenticator xxxxx

set transform-set ESP_md5_des

match address 121

crypto map Node16 22 ipsec-manual

set peer 203.92.1.A

set session-key inbound esp 402 cipher xxxxx authenticator xxxxx

set session-key outbound esp 403 cipher xxxxx authenticator xxxxx

set transform-set ESP_md5_des

match address 121

interface fas0/1

cypto map Node16

interface fas0/2

cypto map Node16

Labels:
0 Helpful
1 Reply 1

nihal.akbulut
Level 1
Level 1

‎12-08-2003 05:29 AM

Hi,

You can write multiple peers for a crypto map when using IKE. for examp:

crypto map Node15 21 ipsec-isakmp

set peer 203.92.2.A

set peer 203.92.2.B

...

or there is another way: you can use a loopback interface on R2 as tunnel endpoint. first define a loopback interface on R2, for ex loopback1.Then write the command "crypto map Node16 local-address Loopback1" on R2 and apply your crypto to both interfaces. Then on your R1, make only one crypto map and set peer address to R2's loopback1 address.

the command "crypto map Node16 local-address Loopback1" changes the tunnel endpoint address on R2.

hope this helps...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents