I have following scenario with 2x IOS routers at the center and multiple clients to be connected over IPSEC VPN around. The clients will consist of Cisco routers, Cisco firewalls, Juniper, Checkpoint and some other vendor equipment. I have two peers (above listed routers) connected to the same private cloud of servers clients need access to. Static crypto map is a must, since we don't have access to the client equipment and this is the most generic implementation of IPSEC to be available between different vendor equipment. The plan is to provide two peers to each remote client, and in case of Cisco router, instruct clients to specify them under the same crypto map with single crypto interesting ACL, i.e.
crypto map mymap 10
set peer xxx.xxx.xxx.xxx default
set peer yyy.yyy.yyy.yyy
Routers at the center are configured with static crypto map for each client router, translating (NAT) each customer's source IP address (on crypto-interesting list) into some internal network due to possible overlapping networks.
Each router translates into it's own different IP address pool and there is stateful firewall after each router and server is behind this firewall.
For example client A source IP address will be translated to 10.10.10.10 if client A connects to first location and same Client A source IP address will be translated into 192.168.168.10 if client A connects to the secondary location.
My question is, although it is very unlikely that client could be connected to both peers at the same time, since the server application is designed not to initiate any outgoing connections to the remote clients and it is blocked on firewall, but just in case of simultaneous connections from the same peer to both routers, which peer will take over and what will happen to the existing TCP sessions? Will they be cut when second IPSEC SA initiated (due to NAT and stateful firewall at the center would drop ACKs wihen no SYN) causing just temporarily service disruption and which of the peers will take over to route the traffic to?
Responder only crypto map is unfortunately not available at the central routers due to VTI is not applicable for this environment.
I believe this is a bit complicated scenario so, Experts, need your advice!
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :