Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

point to multipoint vpn question

Hi,

I have a router with crypto map applied to an interface.  This crypto map has two remote peers with the below configuration.

crypto map test 10 isakmp-ipsec

set peer 1.1.1.1

set peer 2.2.2.2

set transform-set tset

match address 101

access-list 101 permit ip 5.5.5.0 0.0.0.255 6.6.6.0 0.0.0.255

These two remote peers are two routers that are accessing the same resource which is 6.6.6.0/24.

My question has something to do with asymmetric routing.  If i have a packet that comes out my vpn interface to one peer say 1.1.1.1 but goes back from 2.2.2.2, will this work?  From my simulations, it doesn't.  If this won't work, is there a way to allow this type of vpn traffic?  I mean if i send traffic out to peer 1.1.1.1 and it comes back from 2.2.2.2 or if remote site sends out from 1.1.1.1 and i can reply back to peer 2.2.2.2 it won't cause problems.

Thanks.

3 REPLIES
Hall of Fame Super Blue

Re: point to multipoint vpn question

marcusbrutus wrote:

Hi,

I have a router with crypto map applied to an interface.  This crypto map has two remote peers with the below configuration.

crypto map test 10 isakmp-ipsec

set peer 1.1.1.1

set peer 2.2.2.2

set transform-set tset

match address 101

access-list 101 permit ip 5.5.5.0 0.0.0.255 6.6.6.0 0.0.0.255

These two remote peers are two routers that are accessing the same resource which is 6.6.6.0/24.

My question has something to do with asymmetric routing.  If i have a packet that comes out my vpn interface to one peer say 1.1.1.1 but goes back from 2.2.2.2, will this work?  From my simulations, it doesn't.  If this won't work, is there a way to allow this type of vpn traffic?  I mean if i send traffic out to peer 1.1.1.1 and it comes back from 2.2.2.2 or if remote site sends out from 1.1.1.1 and i can reply back to peer 2.2.2.2 it won't cause problems.

Thanks.

Mark

Are these 2 peers in different remote sites ? If so i am surprised if this is working because your config is basically using 2 peers as redundant connections for the same VPN.

If these are separate connections from different sites then are they both using 5.5.5.0/24 as their subnet ? If so you could NAT one of them at the remote end if you control both ends.

Can you clarify ?

Jon

New Member

Re: point to multipoint vpn question

Hi Jon,

The two router peers are on the same branch office.  They have two routers running on their perimeter for redundancy.  One router with IP 1.1.1.1 and the other 2.2.2.2.  The 5.5.5.0 subnet is a resource on their internal network.

Hall of Fame Super Blue

Re: point to multipoint vpn question

Mark

If the 2 routers are in the same office could you not run HSRP between them and then only one router will be used to intiate the tunnel. How do these routers exhange routes with your head office router ?

Jon

674
Views
0
Helpful
3
Replies