03-02-2010 07:09 AM
Hi,
I have a router with crypto map applied to an interface. This crypto map has two remote peers with the below configuration.
crypto map test 10 isakmp-ipsec
set peer 1.1.1.1
set peer 2.2.2.2
set transform-set tset
match address 101
access-list 101 permit ip 5.5.5.0 0.0.0.255 6.6.6.0 0.0.0.255
These two remote peers are two routers that are accessing the same resource which is 6.6.6.0/24.
My question has something to do with asymmetric routing. If i have a packet that comes out my vpn interface to one peer say 1.1.1.1 but goes back from 2.2.2.2, will this work? From my simulations, it doesn't. If this won't work, is there a way to allow this type of vpn traffic? I mean if i send traffic out to peer 1.1.1.1 and it comes back from 2.2.2.2 or if remote site sends out from 1.1.1.1 and i can reply back to peer 2.2.2.2 it won't cause problems.
Thanks.
03-02-2010 09:17 AM
marcusbrutus wrote:
Hi,
I have a router with crypto map applied to an interface. This crypto map has two remote peers with the below configuration.
crypto map test 10 isakmp-ipsec
set peer 1.1.1.1
set peer 2.2.2.2
set transform-set tset
match address 101
access-list 101 permit ip 5.5.5.0 0.0.0.255 6.6.6.0 0.0.0.255
These two remote peers are two routers that are accessing the same resource which is 6.6.6.0/24.
My question has something to do with asymmetric routing. If i have a packet that comes out my vpn interface to one peer say 1.1.1.1 but goes back from 2.2.2.2, will this work? From my simulations, it doesn't. If this won't work, is there a way to allow this type of vpn traffic? I mean if i send traffic out to peer 1.1.1.1 and it comes back from 2.2.2.2 or if remote site sends out from 1.1.1.1 and i can reply back to peer 2.2.2.2 it won't cause problems.
Thanks.
Mark
Are these 2 peers in different remote sites ? If so i am surprised if this is working because your config is basically using 2 peers as redundant connections for the same VPN.
If these are separate connections from different sites then are they both using 5.5.5.0/24 as their subnet ? If so you could NAT one of them at the remote end if you control both ends.
Can you clarify ?
Jon
03-02-2010 10:59 AM
Hi Jon,
The two router peers are on the same branch office. They have two routers running on their perimeter for redundancy. One router with IP 1.1.1.1 and the other 2.2.2.2. The 5.5.5.0 subnet is a resource on their internal network.
03-02-2010 11:39 AM
Mark
If the 2 routers are in the same office could you not run HSRP between them and then only one router will be used to intiate the tunnel. How do these routers exhange routes with your head office router ?
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: