Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Adding an additional IPSEC Peer

We are in the process of adding an additional ISP to our corporate network.  When we do so the ASA we use will connect with our WAN sites (Cisco 2811's and I know we need to upgrade!) with the current NAT'd IP (7.7.7.7 for this question) and also the new one (8.8.8.8).  I need to know a way to add the additional ISP Ip into our WAN site routers so it will accept either the existing IP or the new one.  Here is our WAN site router current setup....

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp key examplekey1! address 7.7.7.7

crypto isakmp keepalive 10 5 periodic

!

!

crypto ipsec transform-set aptset esp-aes 256 esp-sha-hmac

!

crypto map aptmap 10 ipsec-isakmp

set peer 7.7.7.7

set transform-set aptset

set pfs group5

match address IPSec

!

!

ip access-list extended IPSec

permit ip 10.2.2.0 0.0.0.255 any (Site IP range)

What would I add for the additional NAT'd IP (8.8.8.8)???

Note: the ASA that has all of our tunnels will be behind a load balancer so all it will be looking for is the tunnel coming into one of its interfaces.

                  

Thanks in advance!

Everyone's tags (4)
6 REPLIES
Hall of Fame Super Bronze

Adding an additional IPSEC Peer

crypto isakmp key examplekey1! address 8.8.8.8

crypto map aptmap 20 ipsec-isakmp

set peer 8.8.8.8

set transform-set aptset

set pfs group5

match address newacl (would you be matching the same traffic? I don't think you could load-share the traffic)

New Member

Adding an additional IPSEC Peer

Edison,

I could do it that way if needed.  If I remember right there was someway to do the set peer with a name

set peer IPSEC

I just can't remember it...

Hall of Fame Super Silver

Adding an additional IPSEC Peer

The suggestion from Edison is the classic way to define a second tunnel on the 2811 router. And it works very well as long as the two tunnels go to separate destinations. But if I read your posts correctly it is the same single 2811 as source going to the same ASA as destination. In that case I do not believe that two separate tunnels will work. There is a way to have two peer statements within the same instance of the crypto map and I believe that is what you need for the 2811. The config might look something like this:

crypto map aptmap 10 ipsec-isakmp

set peer 7.7.7.7

set peer 8.8.8.8

set transform-set aptset

set pfs group5

match address IPSec

HTH

Rick

New Member

Adding an additional IPSEC Peer

That would work but the question is would it attempt to build out two tunnels to the same device?

Hall of Fame Super Silver

Adding an additional IPSEC Peer

It is my understanding that if you configure what I have suggested with two peer statements in one instance of the crypto map that the router will build one tunnel (not two) and that it will try the first peer address. If the first peer address works then the tunnel comes up. If there is a problem with the first peer address then the router tries the second peer address. So in effect it gives you a fail over mechanism.

HTH

Rick

New Member

Adding an additional IPSEC Peer

Is there a way anyone knows of to set up the IPSec so that the IP addresses are equal?  Say, create a pool somehow and put both addresses in it then put the name of the pool in as the peer?

434
Views
0
Helpful
6
Replies
CreatePlease login to create content