Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site-2-Site VPN with Multiple Peer Addresses

Good afternoon everyone!

I'm having some problems configuring site-2-site VPNs with multiple peers (i.e., for a peer with multiple internet connections and in turn public IP addresses).

With IKEv1 crypto-maps it seems a simple case of entering two peer addresses in the same crypto-map match statement:

crypto map Crypto_Map 10 match address Interesting_Traffic
crypto map Crypto_Map 10 set peer 1.2.3.4 1.2.3.5
crypto map Crypto_Map 10 set ikev1 transform-set ESP-3DES-SHA ESP-AES-256-SHA

However, IKEv2 crypto-maps don't support multiple peer statements. Using two separate match statements:

crypto map Crypto_Map 10 match address Interesting_Traffic
crypto map Crypto_Map 10 set pfs
crypto map Crypto_Map 10 set peer 1.2.3.4
crypto map Crypto_Map 10 set ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-256-SHA1 IKEV2-IPSEC-ESP-3DES-SHA1
crypto map Crypto_Map 20 match address Interesting_Traffic
crypto map Crypto_Map 20 set pfs
crypto map Crypto_Map 20 set peer 1.2.3.5
crypto map Crypto_Map 20 set ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-256-SHA1 IKEV2-IPSEC-ESP-3DES-SHA1

In both cases we have setup IP SLA on the remote peer to failover to the secondary line if the first line becomes unavailable. When primary line fails we maintain internet connectivity, however site-2-site connectivity via the VPN link is lost when using duplicate match statements.

Would it be the case that traffic from the local peer will match the Crypto_Map 10 statement, attempt to form a tunnel, fail (as the remote peer's primary line and in turn IP address is down), get "stuck" on this statement and not know it has other match statements it can use?

Thanks in advance for any help with this.

Everyone's tags (1)
1 REPLY
VIP Purple

Your last assumption is right

Your last assumption is right. The router will not pick the next sequence in the crypto-map if the actual one already matches.

Do you have IOS-router on both sides? Then you should configure virtual tunnel interfaces, between your router and both peer addresses. Now you can fail over with the help of a line-state, a routing-protocol, or static routing with route-tracking.

 


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
125
Views
0
Helpful
1
Replies