Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Multiple L2L IPSec sources on one router

Hi folks,

I'm trying to make a redundantish office/datacentre connection on the cheap. At the datacentre, we've got a 7301 (12.2(24)T5) and at the office we've got a Mikrotik RB1200 (5.12).

The office router has two ADSL connections to two different ISPs, the datacentre router a single GigE to a colo provider. I'm trying to build an IPSec encrypted IPIP tunnel over each ADSL service to a separate loopback interface on the datacentre router, so I can run OSPF over the top for route exchange.

I need to use two different loopbacks on the datacentre router so the office router can have a static route for each out each ISP ADSL. But I'm running into issues making encryption work on two different source addresses.

Using the 'crypto map xxx local-address Loopback12' command, I can specify the outbound interface for one of the tunnels just fine, traffic moves as expected - while the other tunnel fails to encrypt. But is there a way of having two peers use two different local addresses, or applying two crypto maps to a single physical interface?

Thanks,

- I.

-- Datacentre router config --

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 1800

crypto isakmp key xxx address B.B.B.B

crypto isakmp key xxx address A.A.A.A

!

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association idle-time 600

!

crypto ipsec transform-set vpn esp-3des esp-md5-hmac

no crypto ipsec nat-transparency udp-encaps

crypto map Crypto local-address Loopback12

crypto map Crypto 11 ipsec-isakmp

set peer A.A.A.A

set security-association lifetime kilobytes 10000000

set transform-set vpn

set pfs group2

match address Crypto_via_ISPA

crypto map Crypto 12 ipsec-isakmp

set peer B.B.B.B

set security-association lifetime kilobytes 10000000

set transform-set vpn

set pfs group2

match address Crypto_via_ISPB

interface Loopback11

description Tunnel endpoint for ISP B

ip address D.D.D.D 255.255.255.255

crypto map Crypto

!

interface Loopback12

description Tunnel endpoint for ISP A

ip address C.C.C.C 255.255.255.255

crypto map Crypto

!

interface Tunnel1

description IPSec to office via ISP B

ip address 10.0.0.2 255.255.255.254

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1400

ip ospf network point-to-point

ip ospf cost 100

tunnel source Loopback11

tunnel destination B.B.B.B

tunnel mode ipip

!

interface Tunnel2

description IPSec to office via ISP A

ip address 10.0.0.4 255.255.255.254

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1400

ip ospf network point-to-point

ip ospf cost 50

tunnel source Loopback12

tunnel destination A.A.A.A

tunnel mode ipip

interface GigabitEthernet0/0

description Colo Internet

crypto map Crypto

ip access-list extended Crypto_via_ISPA

permit ip host C.C.C.C host A.A.A.A

ip access-list extended Crypto_via_ISPB

permit ip host D.D.D.D host B.B.B.B

1 REPLY
Bronze

Multiple L2L IPSec sources on one router

What you're doing I don't think will work.  On the data center, you only need a single loopback interface as the VPN termination end-point.  However, this loopback must be visible over the Internet so the Microtik router can see it.

from there, the configuration is straight forward

843
Views
0
Helpful
1
Replies