03-12-2008 12:36 PM - edited 03-03-2019 09:06 PM
we r trying to build a VPN tunnel through a Cisco router. The peer IP is from the IP range that is configured as secondary on the router. Is this possible?
rtr1--rtr2---internet
We have created a VPN on rtr1 and the peer IP is a part of the secondary IP configured on the rtr2
Solved! Go to Solution.
03-12-2008 01:40 PM
Sai
Thanks for helping me to understand the situation better. If the VPN will be between a client somewhere in the Internet and rtr1 using 1.1.1.1 as the VPN peer address. And 1.1.1.1 on rtr1 is the primary interface address then the VPN should work ok (assuming that 1.1.1.1 is reachable from where the client is located.
I am still puzzled about a situation where rtr1 is connected to rtr2 and on that connecting link rtr1 uses 1.1.1.x as primary and rtr2 uses 1.1.1.x as secondary and uses 2.2.2.x as primary. I have seen situations where this kind of thing has caused problems - for example EIGRP and OSPF will not form neighbor relationships where this kind of mismatch exists. But the mismatch by itself will not impact the VPN. The VPN will not use 1.1.1.2 and will not care whether it is a secondary address.
HTH
Rick
03-12-2008 12:50 PM
Sai
I have not tested this and I do not know but certain. But I doubt that it will work to have a VPN session where the peer address is a secondary address on a router. In my experience when a router builds a packet from an interface which has a primary and a secondary address the router will use the primary address as the source address of the packet. For your VPN to work the router would need to use the secondary address as the source and I doubt that the router will do this.
Would it be possible to change the VPN and use the router primary address as the peer address? Or would it be possible to reconfigure the router interface and make the current secondary address into the primary address?
HTH
Rick
03-12-2008 12:53 PM
Hi Rick,
Let me rephrase my question.
rtr1--rtr2--internet
eth on rtr1 is 1.1.1.1
eth on rtr2 is 1.1.1.2 sec
i build the VPN tunnel from 1.1.1.1
will this work?
03-12-2008 01:13 PM
Sai
I did not understand your diagram before and do not quite understand it here. Does it really show rtr1 is connected to rtr2 and rtr2 is connected to the Internet? Is there really to be a VPN between rtr1 and rtr2?
If the VPN will terminate on rtr2 on an interface and try to use a secondary address on that interface to terminate the VPN I do not believe that it will work.
I am also puzzled how 1.1.1.1 would be primary on rtr1 and 1.1.1.2 would be secondary on rtr2. What is primary on rtr2? It is an accepted best practice with secondary addressing that all routers on the segment/subnet should use the same subnet for the primary address.
Perhaps you can help me understand this better?
HTH
Rick
03-12-2008 01:18 PM
Rick,
there is no VPN betn rtr1 and rtr2. The VPN is from rtr1 over the internet to the client location.
the primary IP on rtr2 is 2.2.2.2 and 1.1.1.2 as secondary.
03-12-2008 01:40 PM
Sai
Thanks for helping me to understand the situation better. If the VPN will be between a client somewhere in the Internet and rtr1 using 1.1.1.1 as the VPN peer address. And 1.1.1.1 on rtr1 is the primary interface address then the VPN should work ok (assuming that 1.1.1.1 is reachable from where the client is located.
I am still puzzled about a situation where rtr1 is connected to rtr2 and on that connecting link rtr1 uses 1.1.1.x as primary and rtr2 uses 1.1.1.x as secondary and uses 2.2.2.x as primary. I have seen situations where this kind of thing has caused problems - for example EIGRP and OSPF will not form neighbor relationships where this kind of mismatch exists. But the mismatch by itself will not impact the VPN. The VPN will not use 1.1.1.2 and will not care whether it is a secondary address.
HTH
Rick
03-12-2008 01:45 PM
thanxs for the clarification. Will configure and get back to you.
03-12-2008 02:40 PM
it worked.. it was some routing issue and it got resolved.
thanxs a ton...
03-13-2008 05:33 AM
Sai
Thank you for posting back that you have resolved the issue. Thank you for using the rating system to indicate that your problem was solved (and thanks for the rating). It makes the forum more useful when people can read about a problem and can know that they will read a solution to the problem.
The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: