I can weight of the IPSec Tunnels between ASAs

Hello

Remote site: link internet NYC 150 MB/s

Local site: link internet Baltimore 400 MB/s

Backup site: link internet Washington 200 Mb/s

My main site and my backup site are connected via a gigabit Ethernet circuit between the respective base site switches.  Each site has its own internet connection and my OSPF allows to switch their traffic to the backup site if the main website is down.  We are opening an office in New York with one ASA unique connected to 150 Mbps FIOS internet circuit.  We want to set up an IPSec tunnel on the main site and the backup on the remote site, but want the remote site to prefer the tunnel in Baltimore, except if it is down.

Interesting traffic would be the same for the two tunnels

I know that ASA cannot be a GRE endpoint.  How can I force the New York traffic through the tunnel in Baltimore as long as it works?  An IPSec tunnel can be weighted?

Thank you

It is not in itself weighting, but you can create up to 10 backup over LAN to LAN VPN IPsec peers.

For each tunnel, the security apparatus tried to negotiate with the first peer in the list. If this peer does not respond, the security apparatus made his way to the bottom of the list until a peer responds, or there is no peer more in the list.

Reference.

Tags: Cisco Security

Similar Questions

  • NAT in the IPSec tunnel between 2 routers x IOS (877)

    Hi all

    We have a customer with 2 x 877 routers connected to the internet. These routers are configured with an IPSec tunnel (which works fine). The question is the inbound static NAT translation problems with the tunnel - port 25 is mapped to the address inside the mail server. The existing configuration works very well for incoming mail, but prevents users from access to the direct mail server (using the private IP address) on port 25.

    Here is the Config NAT:

    nat INET_POOL netmask 255.255.255.252 IP pool

    IP nat inside source map route INET_NAT pool INET_POOL overload

    IP nat inside source static tcp 10.10.0.8 25 25 expandable

    IP nat inside source static tcp 10.10.0.8 80 80 extensible

    IP nat inside source static tcp 10.10.0.8 443 443 extensible

    IP nat inside source static tcp 10.10.0.7 1433 1433 extensible

    IP nat inside source static tcp 10.10.0.7 extensible 3389 3389

    allowed INET_NAT 1 route map

    corresponds to the IP 101

    access-list 101 deny ip 10.10.0.0 0.0.0.255 192.168.1.0 0.0.0.255

    access-list 101 permit ip 10.10.0.0 0.0.0.255 any

    On the SAA, I would setup a NAT exemption, but how do I get the same thing in the IOS?

    See you soon,.

    Luke

    Take a look at this link:

    http://www.Cisco.com/en/us/docs/iOS/12_2t/12_2t4/feature/guide/ftnatrt.html

    Concerning

    Farrukh

  • Create the Ipsec tunnel using digital certificates

    Hello

    I try to open the IPSEC tunnel between 2 3800 of Cisco routers using additional 3800 router as a CA server.

    Before that I added the CA server all go smoothly.

    Attached is my configuration, attached debug commands from the configuration of server and router CA

    It seems that the routers does not receive the certificate of the CA (R3) router because I see the certificate is awaiting status:

    #
    R3 #.
    R3 #show cryptographic pki certificate cisco talkative
    CA
    Status: available
    Version: 3
    Certificate serial number (hex): 01
    Use of certificates: Signature
    Issuer:
    CN = cisco1. Cisco.com L\ = RTP it\ = US
    Object:
    CN = cisco1. Cisco.com L\ = RTP it\ = US
    Validity date:
    start date: 10:12:13 UTC Sep 8 2013
    end date: 10:12:13 UTC Sep 7 2016
    Subject key information:
    Public key algorithm: rsaEncryption
    RSA Public Key: (512 bits)
    Signature algorithm: MD5 with RSA encryption
    Fingerprint MD5: FAB9FFF7 87B580F3 7A65627E 56A378C9
    Fingerprint SHA1: F26CD817 91F8129D A9E46671 07E26F1E 55422DCD
    X509v3 extensions:
    X509v3 Key use: 86000000
    Digital signature
    Key Cert sign
    Signature of the CRL
    X509v3 subject Key ID: 56F091F7 7016A63F B 89, 46900 B13E6719 8B0D548E
    X509v3 Basic Constraints:
    CA: TRUE
    X509v3 Authority Key ID: 56F091F7 7016A63F B 89, 46900 B13E6719 8B0D548E
    Access to information the authority:
    Related Trustpoints: cisco
    Storage: nvram:cisco1ciscoc #4CA.cer

    R3 #.

    Appreciate your support and I will send additional if necessary evidence

    TX

    Roee

    I didn't look at your configuration, but accroding to your description, it seems that you have not approved the certificate requests pending on your router CA. Here are the commands that you need:

    To view the pending requests:

    information cryptographic pki server router 'CA '.

    To grant requests pending:

    Info Server 'CA' router cryptographic pki grant all

  • Problem on the establishment of a GRE/IPsec tunnel between 2 cisco routers

    Hello world

    I am trying to establish a GRE IPsec tunnel between two cisco routers (2620XM and a 836).

    I created a tunnel interfaces on both routers as follows.

    2620XM

    interface Tunnel0

    IP 10.1.5.2 255.255.255.252

    tunnel source x.x.x.x

    tunnel destination y.y.y.y

    end

    836

    interface Tunnel0

    IP 10.1.5.1 255.255.255.252

    tunnel source y.y.y.y

    tunnel destination x.x.x.x

    end

    and configuration of isakmp/ipsec as follows,

    2620XM

    crypto ISAKMP policy 10

    md5 hash

    preshared authentication

    ISAKMP crypto key {keys} address y.y.y.y no.-xauth

    !

    !

    Crypto ipsec transform-set esp - esp-md5-hmac to_melissia

    !

    myvpn 9 ipsec-isakmp crypto map

    defined peer y.y.y.y

    Set transform-set to_melissia

    match address 101

    2620XM-router #sh ip access list 101

    Expand the access IP 101 list

    10 permit host x.x.x.x y.y.y.y host will

    836

    crypto ISAKMP policy 10

    md5 hash

    preshared authentication

    ISAKMP crypto key {keys} address x.x.x.x No.-xauth

    !

    !

    Crypto ipsec transform-set esp - esp-md5-hmac to_metamorfosi

    !

    myvpn 10 ipsec-isakmp crypto map

    defined peer x.x.x.x

    Set transform-set to_metamorfosi

    match address 101

    836-router #sh access list 101

    Expand the access IP 101 list

    10 licences will host host x.x.x.x y.y.y.y

    Unfortunately I had no isakmp security associations at all and when I enter the debugging to this output.

    CRYPTO: IPSEC (crypto_map_check_encrypt_core): CRYPTO: removed package as currently being created cryptomap.

    Any ideas why I get this result? Any help will be a great help

    Thank you!!!

    I think it's possible. It seems to me that you are assuming that the address of the interface where goes the card encryption is peering address. While this is the default action, it is possible to configure it differently.

    As you have discovered the card encryption must be on the physical output interface. If you want the peering address to have a different value of the physical interface address outgoing, then you can add this command to your crypto card:

    card crypto-address

    so if you put loopback0 as the id_interface then he would use loopback0 as peering address even if the card encryption may be affected on serial0/0 or another physical interface.

    HTH

    Rick

  • Can I use private as Source IPs from a remote network IP addresses while building the IPSec tunnel?

    Can I use private as Source IPs from a remote network IP addresses while building the IPSec tunnel? If not why? If so, how?

    Your explanation is much appreciated.

    Hi Deepak,

    In such a situation, you usually NAT traffic that goes to the internet, but exempt traffic that goes through the VPN, because it will be wrapped in packages with public IP (tunnel) addresses. You can use the same IP address on your interface in the face of internet for the NAT/PAT and source of IPSEC Tunnel.

  • IPSec tunnel between a client connection mobility and WRV200

    Someone has set up an IPSec tunnel between a client connection mobility and WRV200? I can't get the right configuration.

    Agitation, these products are treated by the Cisco Small Business support community. Please refer to the URL: https://supportforums.cisco.com/community/netpro/small-business

  • IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and static

    Hello

    My problem isn't really the IPSec connection between two devices (it is already done...) But my problem is that I have a mail server on the site of Cisco, who have a static NAT from inside to outside. Due to the static NAT, I do not see the server in the VPN tunnel. I found a document that almost describes the problem:

    "Configuration of a router IPSEC Tunnel private-to-private network with NAT and static" (Document ID 14144)

    NAT takes place before the encryption verification!

    In this document, the solution is 'routing policy' using the loopback interface. But, how can I handle this with the Netscreen firewall. Someone has an idea?

    Thanks for any help

    Best regards

    Heiko

    Hello

    Try to change your static NAT with static NAT based policy.

    That is to say the static NAT should not be applicable for VPN traffic

    permissible static route map 1

    corresponds to the IP 104

    access-list 104 refuse host ip 10.1.110.10 10.1.0.0 255.255.0.0

    access-list 104 allow the host ip 10.1.110.10 all

    IP nat inside source static 10.1.110.10 81.222.33.90 map of static route

    HTH

    Kind regards

    GE.

  • Public static IPsec tunnel between two routers cisco [VRF aware]

    Hi all

    I am trying to configure static IPsec tunnel between two routers. Router R1 has [no VRF] only global routing table.

    Router R2 has two routing tables:

    * vrf INET - used for internet connectivity

    * global routing table - used for VPN connections

    Here are the basic configs:

    R1

    crypto ISAKMP policy 1
    BA 3des
    md5 hash
    preshared authentication
    Group 2
    ISAKMP crypto key 7V7u841k2D3Q7v98d6Y4z0zF address 203.0.0.3
    invalid-spi-recovery crypto ISAKMP
    !
    Crypto ipsec transform-set esp - aes 256 esp-sha-hmac TRSET_AES-256_SHA
    transport mode
    !
    Crypto ipsec TUNNEL-IPSEC-PROTECTION profile
    game of transformation-TRSET_AES-256_SHA
    !
    interface Loopback0
    10.0.1.1 IP address 255.255.255.255
    IP ospf 1 zone 0
    !
    interface Tunnel0
    IP 192.168.255.34 255.255.255.252
    IP ospf 1 zone 0
    source of tunnel FastEthernet0/0
    tunnel destination 203.0.0.3
    ipv4 ipsec tunnel mode
    Ipsec TUNNEL-IPSEC-PROTEC protection tunnel profile
    !
    interface FastEthernet0/0
    IP 102.0.0.1 255.255.255.0

    !

    IP route 203.0.0.3 255.255.255.255 FastEthernet0/0 102.0.0.2

    #######################################################

    R2

    IP vrf INET
    RD 1:1
    !
    Keyring cryptographic test vrf INET
    address of pre-shared-key 102.0.0.1 key 7V7u841k2D3Q7v98d6Y4z0zF
    !
    crypto ISAKMP policy 1
    BA 3des
    md5 hash
    preshared authentication
    Group 2
    invalid-spi-recovery crypto ISAKMP
    crypto isakmp profile test
    door-key test
    function identity address 102.0.0.1 255.255.255.255
    !
    Crypto ipsec transform-set esp - aes 256 esp-sha-hmac TRSET_AES-256_SHA
    transport mode
    !
    Crypto ipsec TUNNEL-IPSEC-PROTECTION profile
    game of transformation-TRSET_AES-256_SHA
    Test Set isakmp-profile
    !
    interface Loopback0
    IP 10.0.2.2 255.255.255.255
    IP ospf 1 zone 0
    !
    interface Tunnel0
    IP 192.168.255.33 255.255.255.252
    IP ospf 1 zone 0
    source of tunnel FastEthernet0/0
    tunnel destination 102.0.0.1
    ipv4 ipsec tunnel mode
    tunnel vrf INET
    Ipsec TUNNEL-IPSEC-PROTEC protection tunnel profile
    !
    interface FastEthernet0/0
    IP vrf forwarding INET
    IP 203.0.0.3 255.255.255.0

    !

    IP route 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

    #######################################################

    There is a router between R1 and R2, it is used only for connectivity:

    interface FastEthernet0/0
    IP 102.0.0.2 255.255.255.0
    !
    interface FastEthernet0/1
    IP 203.0.0.2 255.255.255.0

    The problem that the tunnel is not coming, I can't pass through phase I.

    The IPsec VPN are not my strength. So if someone could show me what mistake I make, I'd appreciate it really.

    I joined ouptup #debug R2 crypto isakmp

    Source and destination Tunnel0 is belong to VRF INET, the static route need to be updated.

    IP route vrf INET 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

    crypto isakmp profile test

    VRF INET

    door-key test
    function identity address 102.0.0.1 255.255.255.255

  • IPSec tunnels between duplicate LAN subnets

    Hi all

    Please help to connect three sites with our Central site has all the resources for users, including internet access.

    The three sites will be the ASA 5505 like their WAN device.

    We need to know is - it possible, allowing to configure an IPsec Tunnel between the three ASA with duplicate LAN subnets.

    Central site two networks 192.168.1.x 24, 192.168.100.x 24

    Distance a 24 192.168.1.x subnet

    Two remote a subnet 192.168.100.x 24

    If it is possible we also do hair distance one ping, above two remote to the Central Site to access internet, what sites need are on the Central Site, including e-mail, network, other resource also records.

    We have no other way to make this network, as all security is on our Central Site, website filtering, Application filtering, filtering of network traffic all.

    We understand that we can change two remote sites to a different subnet from the Central Site, but we have so many host devices, it will take weeks or months, so to change the MS AD domain for all users, servers too.

    We really need your expertise to do this in a laboratory and then in production.

    Thank you

    Hello Stephen,

    You can check the following links for the subnets overlap talk to each other:-

    1 LAN-to-LAN IPsec VPN with overlapping networks

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

    2 IPsec between two IOS routers with overlapping of private networks

    http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a0ece4.shtml

    Important point is local network must connect to the remote network via the translated addresses.

    for example, you won't be ablt to use real IP of the communication.

    For haripinning or turning U:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

    Hope that helps.

    Kind regards

    Dinesh Moudgil

  • Outgoing PAT to the IPSec Tunnel

    Hello

    Situation is with range of IP private tunnel of 3rd party who already uses the same private beach, but not with any of the hosts that we need to connect to. All traffic from the office to the 3rd party must be secure.

    We want to configure an IPSec tunnel between the two sites (easy) and then use PAT on the PIX Office (6.3 (5)) to make all traffic office appear to be a single private address different.

    We tried to do with PDM, but it insists on having no NAT (with an exclusionary rule), or static NAT, but does not seem to allow Pat.

    I have attached a copy sanitized the office configuration. Any standard room in PIX have been removed for brevity

    I would like constructive guidance on where I'm wrong.

    See you soon

    Hello

    The PIX / ASA will make the NAT translation on the steps below. First, it will check if no no (order No. - nat) nat is configured, then it will check the static nat translation and finally, it will check the translation PAT.

    In your configuration, there is a NAT (0) command indicating not to translate any IP of 192.168.0.0 to the remote ip address range, then the PIX won't do the translation and the package is passed to the destination.

    Remove the NAT (0) command and edit list access outside_cryptomap_10 with the ip dried up to the remote ip address for this access list is responsible for interesting traffic that needs to be encrypted.

    pls control and dream of return.

  • IPSEC tunnel between 2 7606 PE

    I am creating an IPSec tunnel between two 7606 PE routers... get this error when I ping everywhere and if I start using the path descends LDP.

    12 Nov 16:32:22.801 IS: IPSEC (key_engine): request timer shot: count = 1,.

    local (identity) = 10.10.135.1, distance = 10.10.135.2.

    local_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4),

    remote_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4)

    12 Nov 16:32:22.801 IS: IPSEC (sa_request):,.

    (Eng. msg key.) Local OUTGOING = 10.10.135.1, distance = 10.10.135.2.

    local_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4),

    remote_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4),

    Protocol = ESP, transform = NONE (Tunnel),

    lifedur = 190 s and 4608000 Ko,.

    SPI = 0 x 0 (0), id_conn = 0, keysize = 256, flags = 0 x 0

    12 Nov 16:32:22.801 IS: ISAKMP: (0): profile of ITS application is test

    12 Nov 16:32:22.801 IS: ISAKMP: created a struct peer 10.10.135.2, peer port 500

    12 Nov 16:32:22.801 IS: ISAKMP: new position created post = 0x5326A08C peer_handle = 0x8000001A

    12 Nov 16:32:22.801 IS: ISAKMP: lock struct 0x5326A08C, refcount 1 to peer isakmp_initiator

    12 Nov 16:32:22.801 IS: ISAKMP: 500 local port, remote port 500

    12 Nov 16:32:22.801 IS: ISAKMP: impossible to allocate IKE SA

    12 Nov 16:32:22.801 IS: ISAKMP: Unlocking counterpart struct 0x5326A08C for isadb_unlock_peer_delete_sa(), count 0

    12 Nov 16:32:22.801 IS: ISAKMP: delete peer node by peer_reap for 10.10.135.2: 5326A08C

    12 Nov 16:32:22.801 IS: ISAKMP: (0): purge SA., his = 0, delme = 532E8364

    PE2 #.

    12 Nov 16:32:22.801 IS: ISAKMP: error during the processing of HIS application: failed to initialize SA

    12 Nov 16:32:22.801 IS: ISAKMP: error while processing message KMI 0, error 2.

    12 Nov 16:32:22.801 IS: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)

    PE2 #.

    12 Nov 16:32:52.801 IS: IPSEC (key_engine): request timer shot: count = 2,.

    local (identity) = 10.10.135.1, distance = 10.10.135.2.

    local_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4),

    remote_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4)

    IPsec only is not supported on the 6500 and 7600 without module series IPsec (IPsec-SPA or VPNSM), sorry.

  • Problem with IPsec VPN between ASA and router Cisco - ping is not response

    Hello

    I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):

    my network topology data:

    LAN 1 connect ASA - 1 (inside the LAN)

    PC - 10.0.1.3 255.255.255.0 10.0.1.1

    ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0

    -----------------------------------------------------------------

    ASA - 1 Connect (LAN outide) R1

    ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252

    R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252

    ---------------------------------------------------------------------

    R1 R2 to connect

    R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252

    R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252

    R2 for lan connection 2

    --------------------------------------------------------------------

    R2 to connect LAN2

    R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0

    PC - 10.0.2.3 255.255.255.0 10.0.2.1

    ASA configuration:

    1 GigabitEthernet interface
    nameif inside
    security-level 100
    IP 10.0.1.1 255.255.255.0
    no downtime
    interface GigabitEthernet 0
    nameif outside
    security-level 0
    IP 172.30.1.2 255.255.255.252
    no downtime
    Route outside 0.0.0.0 0.0.0.0 172.30.1.1

    ------------------------------------------------------------

    access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
    object obj LAN
    subnet 10.0.1.0 255.255.255.0
    object obj remote network
    10.0.2.0 subnet 255.255.255.0
    NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static

    -----------------------------------------------------------
    IKEv1 crypto policy 10
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 3600
    Crypto ikev1 allow outside
    crypto isakmp identity address

    ------------------------------------------------------------
    tunnel-group 172.30.2.2 type ipsec-l2l
    tunnel-group 172.30.2.2 ipsec-attributes
    IKEv1 pre-shared-key cisco123
    Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1

    -------------------------------------------------------------
    card crypto ASA1VPN 10 is the LAN1 to LAN2 address
    card crypto ASA1VPN 10 set peer 172.30.2.2
    card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
    card crypto ASA1VPN set 10 security-association life seconds 3600
    ASA1VPN interface card crypto outside

    R2 configuration:

    interface fastEthernet 0/0
    IP 10.0.2.1 255.255.255.0
    no downtime
    interface fastEthernet 0/1
    IP 172.30.2.2 255.255.255.252
    no downtime

    -----------------------------------------------------

    router RIP
    version 2
    Network 10.0.2.0
    network 172.30.2.0

    ------------------------------------------------------
    access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
    access-list 102 permit esp 172.30.1.2 host 172.30.2.2
    access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
    interface fastEthernet 0/1
    IP access-group 102 to

    ------------------------------------------------------
    crypto ISAKMP policy 110
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 42300

    ------------------------------------------------------
    ISAKMP crypto key cisco123 address 172.30.1.2

    -----------------------------------------------------
    Crypto ipsec transform-set esp - aes 128 R2TS

    ------------------------------------------------------

    access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

    ------------------------------------------------------

    R2VPN 10 ipsec-isakmp crypto map
    match address 101
    defined by peer 172.30.1.2
    PFS Group1 Set
    R2TS transformation game
    86400 seconds, life of security association set
    interface fastEthernet 0/1
    card crypto R2VPN

    I don't know what the problem

    Thank you

    If the RIP is not absolutely necessary for you, try adding the default route to R2:

    IP route 0.0.0.0 0.0.0.0 172.16.2.1

    If you want to use RIP much, add permissions ACL 102:

    access-list 102 permit udp any any eq 520

  • ASA 5505 - I can't create an IPSEC VPN between two ASA 5505

    Hello

    I have two ASA 5505 with basic license and I'm trying to create a VPN IPSEC using the CLI. Here are the steps I did:

    1 Configure ASA-1 (host name, vlan 1 and vlan 2).

    2. configure a static route

    3. create object network (local and remote)

    4. create the access list

    5. create ikev1 crypto

    6. create tunnel-group

    7 Configure nat

    and I repeat the steps above with the ASA but another change IP.

    Are to correct the above steps?

    Why can I not create an IPSEC VPN between devices?.

    No, you needn't. The ASA configuration is ok. Packet trace proved it. I think it can be a problem on the hosts. Please, check the firewall on the PC and try to put out of service, if it is running.

  • IPSec tunnel between 2 routers

    Hello

    I am trying to configure an IPSec VPN tunnel between 2 routers Cisco, connected to the internet via the ATM interface, my router is a 1841 with the network 10.200.36.0 address the remote router is a Cisco network 192.168.9.0 address with 877.

    I have tryied to follow some tutorials, unsuccessfully, because I can't always ping all IP addresses on the remote network and also the VPN tunnel is not up!

    Can help you please give me a configuration model, or maybe let me know how to configure step by step on mine and remote router?

    Thank you very much!

    Concerning

    Riccardo

    Here is an example. x.x.x.x and y.y.y.y are the public IPs of routers:

    ROUTER1 hostname

    !

    crypto ISAKMP policy 10

    BA aes 256

    AUTH pre

    Group 5

    !

    ISAKMP crypto key cisco1234 address y.y.y.y

    !

    Crypto ipsec transform-set ESP-AES256-SHA1 esp - aes 256 esp-sha-hmac

    !

    Profile of crypto ipsec TunnelProfile

    the transform ESP-AES256-SHA1 value

    !

    interface Tunnel0

    IP 10.255.255.0 255.255.255.254

    tunnel Dialer source 0

    tunnel destination y.y.y.y

    ipv4 ipsec tunnel mode

    Tunnel TunnelProfile ipsec protection profile

    !

    interface Dialer0

    IP x.x.x.x

    !

    IP route 192.168.9.0 255.255.255.0 Tunnel0

    hostname ROUTER2

    !

    crypto ISAKMP policy 10

    BA aes 256

    AUTH pre

    Group 5

    !

    ISAKMP crypto cisco1234 key address x.x.x.x

    !

    Crypto ipsec ESP-AES256-SHA1 transform-set esp - aes 256 esp-sha-hmac

    !

    Profile of crypto ipsec TunnelProfile

    the transform ESP-AES256-SHA1 value

    !

    interface Tunnel0

    IP 10.255.255.1 255.255.255.254

    tunnel Dialer source 0

    tunnel destination x.x.x.x

    ipv4 ipsec tunnel mode

    Tunnel TunnelProfile ipsec protection profile

    !

    interface Dialer0

    IP address y.y.y.y

    !

    IP route 10.200.36.0 255.255.255.0 Tunnel0

    --
    Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
    http://www.Kiva.org/invitedBy/karsteni

  • Double IPSec tunnel between routers

    I am facing the following challenge:

    I have two routers and want to build two IPSec encapsulated between them, with the help of ASIT tunnel interfaces.

    The interaces two tunnel would in that case the same source and destination ip addresses.

    With a single tunnel interface defined, it works well, however, as soon as the second tunnel interface is defined, the first breaks down.

    Here is an example configuration:

    interface Tunnel0
    IP 192.168.1.1 255.255.255.252
    source of tunnel Serial1/0
    tunnel destination 10.1.1.6
    ipv4 ipsec tunnel mode
    protection of ipsec profile ipsecprofile tunnel
    !
    Tunnel1 interface
    IP 192.168.1.5 255.255.255.252
    source of tunnel Serial1/0
    tunnel destination 10.1.1.6
    ipv4 ipsec tunnel mode
    protection of ipsec profile ipsecprofile tunnel
    !

    In fact, the matter is rather a conceptual issue than a direct. What is the root cause, this type of configuration does not work?

    ESP protocol is the distinction between endponits ESP SAs based on SPI identifier as well, isn't? If so, what is wrong here?

    Thanks in advance...

    Hi Frank,.

    As a general rule, you cannot have two interfaces of tunnel with the same tunnel source (series 1/0) and destinations (10.1.1.6) tunnel; with the same method (ipv4) tunel.

    The work around that would be to bounce one of the tunnels on a loopback interface.

    This tunnel 1: tunnel_interface_1 - series 1/0---internet---10.1.1.6

    and tunnel 2: tunnel_interface_2---loopback---serial1/0---internet---10.1.1.6

    In this way the two tunnels can be up at the same time.

    I hope this helps.

    -Shrikant

    P.S.: Please check question one answer, if it has been resolved. Note the useful messages. Thank you.

Maybe you are looking for