Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN to remote site that have 2 failover link

Dear support team,

I'm using a 1861 Router with C1861-ADVENTERPRISEK9-M IOS version to connect VPN site-to-site with DC site that have 2 VPN link for redundancy. The router can connect successfully if using crypto map with each public IP of DC site. My problem is when I add 1 more peer in crypto map and shutdown the running peer on DC site, connection between 2 site is failed while show crypto session of new peer is showing UP-ACTIVE.

Here's log show crypto session detail of new peer:

Interface: Dialer1

Uptime: 00:00:54

Session status: UP-ACTIVE    

Peer: y.y.y.y port 500 fvrf: (none) ivrf: (none)

      Phase1_id: 10.0.35.5

      Desc: (none)

  IKE SA: local z.z.z.z/500 remote y.y.y.y/500 Active

          Capabilities:(none) connid:2003 lifetime:00:04:05

  IPSEC FLOW: permit ip 10.2.1.0/255.255.255.0 0.0.0.0/0.0.0.0

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 1869 drop 0 life (KB/Sec) 4408194/245

        Outbound: #pkts enc'ed 3536 drop 158 life (KB/Sec) 4408171/245

  IPSEC FLOW: permit ip 10.2.1.0/255.255.255.0 128.0.0.0/192.0.0.0

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 4487324/272

        Outbound: #pkts enc'ed 36 drop 46 life (KB/Sec) 4487320/272

Here's configuration:

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

lifetime 300

crypto isakmp key vpnkey address x.x.x.x

crypto isakmp key vpnkey address y.y.y.y

!        

!

crypto ipsec transform-set vpn esp-aes esp-sha-hmac

!

crypto map test 100 ipsec-isakmp

set peer x.x.x.x

set peer y.y.y.y

set security-association lifetime seconds 300

set transform-set vpn

match address vpn

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip virtual-reassembly

encapsulation ppp

dialer pool 1

ppp authentication pap callin

ppp pap sent-username  password

crypto map test

Could you please help me find solution for this problem. Thank you so much.

4 REPLIES

VPN to remote site that have 2 failover link

check your routes.

Jawad

Jawad
New Member

VPN to remote site that have 2 failover link

Thank Jawad.

My VPN topology is used for centralized Internet connection. Here's routing configuration:

ip route 0.0.0.0 0.0.0.0 Dialer1

I've just find an strange thing. After a long time (I think it takes more 1 hour) of failed connection for new peer, it turned successfully connection for that new peer. I had waited for about 1 hour before 2 days ago with continuous ping. I configured IKE renegotiation and SA lifetime are 5 minutes.

New Member

Re: VPN to remote site that have 2 failover link

Hi,

Try this.

1. Modify the configuration of crypto map, use the "default" option for the primary link in DC.

crypto map test 100 ipsec-isakmp

set peer x.x.x.x default

set peer y.y.y.y

2. Enable DPD (Dead Peer Detection) on both routers.

crypto isakmp keepalive  [retry-seconds] [periodic | on-demand]

Link: IPsec Dead Peer Detection

________________

Best regards,
MB

________________ Best regards, MB
New Member

VPN to remote site that have 2 failover link

Thank czaja0000.

I tried 1 before but it didn't work.

With your option 2, I can not use it in my environment. At DC site, I use Checkpoint FW to establish VPN connection. My Checkpoint version does not support DPD.

298
Views
0
Helpful
4
Replies
CreatePlease to create content