I can weight of the IPSec Tunnels between ASAs
Hello
Remote site: link internet NYC 150 MB/s
Local site: link internet Baltimore 400 MB/s
Backup site: link internet Washington 200 Mb/s
My main site and my backup site are connected via a gigabit Ethernet circuit between the respective base site switches. Each site has its own internet connection and my OSPF allows to switch their traffic to the backup site if the main website is down. We are opening an office in New York with one ASA unique connected to 150 Mbps FIOS internet circuit. We want to set up an IPSec tunnel on the main site and the backup on the remote site, but want the remote site to prefer the tunnel in Baltimore, except if it is down.
Interesting traffic would be the same for the two tunnels
I know that ASA cannot be a GRE endpoint. How can I force the New York traffic through the tunnel in Baltimore as long as it works? An IPSec tunnel can be weighted?
Thank you
It is not in itself weighting, but you can create up to 10 backup over LAN to LAN VPN IPsec peers.
For each tunnel, the security apparatus tried to negotiate with the first peer in the list. If this peer does not respond, the security apparatus made his way to the bottom of the list until a peer responds, or there is no peer more in the list.
Tags: Cisco Security
Similar Questions
-
NAT in the IPSec tunnel between 2 routers x IOS (877)
Hi all
We have a customer with 2 x 877 routers connected to the internet. These routers are configured with an IPSec tunnel (which works fine). The question is the inbound static NAT translation problems with the tunnel - port 25 is mapped to the address inside the mail server. The existing configuration works very well for incoming mail, but prevents users from access to the direct mail server (using the private IP address) on port 25.
Here is the Config NAT:
nat INET_POOL
netmask 255.255.255.252 IP pool IP nat inside source map route INET_NAT pool INET_POOL overload
IP nat inside source static tcp 10.10.0.8 25
25 expandable IP nat inside source static tcp 10.10.0.8 80
80 extensible IP nat inside source static tcp 10.10.0.8 443
443 extensible IP nat inside source static tcp 10.10.0.7 1433 1433 extensible
IP nat inside source static tcp 10.10.0.7 extensible 3389 3389
allowed INET_NAT 1 route map
corresponds to the IP 101
access-list 101 deny ip 10.10.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 10.10.0.0 0.0.0.255 any
On the SAA, I would setup a NAT exemption, but how do I get the same thing in the IOS?
See you soon,.
Luke
Take a look at this link:
http://www.Cisco.com/en/us/docs/iOS/12_2t/12_2t4/feature/guide/ftnatrt.html
Concerning
Farrukh
-
Create the Ipsec tunnel using digital certificates
Hello
I try to open the IPSEC tunnel between 2 3800 of Cisco routers using additional 3800 router as a CA server.
Before that I added the CA server all go smoothly.
Attached is my configuration, attached debug commands from the configuration of server and router CA
It seems that the routers does not receive the certificate of the CA (R3) router because I see the certificate is awaiting status:
#
R3 #.
R3 #show cryptographic pki certificate cisco talkative
CA
Status: available
Version: 3
Certificate serial number (hex): 01
Use of certificates: Signature
Issuer:
CN = cisco1. Cisco.com L\ = RTP it\ = US
Object:
CN = cisco1. Cisco.com L\ = RTP it\ = US
Validity date:
start date: 10:12:13 UTC Sep 8 2013
end date: 10:12:13 UTC Sep 7 2016
Subject key information:
Public key algorithm: rsaEncryption
RSA Public Key: (512 bits)
Signature algorithm: MD5 with RSA encryption
Fingerprint MD5: FAB9FFF7 87B580F3 7A65627E 56A378C9
Fingerprint SHA1: F26CD817 91F8129D A9E46671 07E26F1E 55422DCD
X509v3 extensions:
X509v3 Key use: 86000000
Digital signature
Key Cert sign
Signature of the CRL
X509v3 subject Key ID: 56F091F7 7016A63F B 89, 46900 B13E6719 8B0D548E
X509v3 Basic Constraints:
CA: TRUE
X509v3 Authority Key ID: 56F091F7 7016A63F B 89, 46900 B13E6719 8B0D548E
Access to information the authority:
Related Trustpoints: cisco
Storage: nvram:cisco1ciscoc #4CA.cerR3 #.
Appreciate your support and I will send additional if necessary evidence
TX
Roee
I didn't look at your configuration, but accroding to your description, it seems that you have not approved the certificate requests pending on your router CA. Here are the commands that you need:
To view the pending requests:
information cryptographic pki server router 'CA '.
To grant requests pending:
Info Server 'CA' router cryptographic pki grant all
-
Problem on the establishment of a GRE/IPsec tunnel between 2 cisco routers
Hello world
I am trying to establish a GRE IPsec tunnel between two cisco routers (2620XM and a 836).
I created a tunnel interfaces on both routers as follows.
2620XM
interface Tunnel0
IP 10.1.5.2 255.255.255.252
tunnel source x.x.x.x
tunnel destination y.y.y.y
end
836
interface Tunnel0
IP 10.1.5.1 255.255.255.252
tunnel source y.y.y.y
tunnel destination x.x.x.x
end
and configuration of isakmp/ipsec as follows,
2620XM
crypto ISAKMP policy 10
md5 hash
preshared authentication
ISAKMP crypto key {keys} address y.y.y.y no.-xauth
!
!
Crypto ipsec transform-set esp - esp-md5-hmac to_melissia
!
myvpn 9 ipsec-isakmp crypto map
defined peer y.y.y.y
Set transform-set to_melissia
match address 101
2620XM-router #sh ip access list 101
Expand the access IP 101 list
10 permit host x.x.x.x y.y.y.y host will
836
crypto ISAKMP policy 10
md5 hash
preshared authentication
ISAKMP crypto key {keys} address x.x.x.x No.-xauth
!
!
Crypto ipsec transform-set esp - esp-md5-hmac to_metamorfosi
!
myvpn 10 ipsec-isakmp crypto map
defined peer x.x.x.x
Set transform-set to_metamorfosi
match address 101
836-router #sh access list 101
Expand the access IP 101 list
10 licences will host host x.x.x.x y.y.y.y
Unfortunately I had no isakmp security associations at all and when I enter the debugging to this output.
CRYPTO: IPSEC (crypto_map_check_encrypt_core): CRYPTO: removed package as currently being created cryptomap.
Any ideas why I get this result? Any help will be a great help
Thank you!!!
I think it's possible. It seems to me that you are assuming that the address of the interface where goes the card encryption is peering address. While this is the default action, it is possible to configure it differently.
As you have discovered the card encryption must be on the physical output interface. If you want the peering address to have a different value of the physical interface address outgoing, then you can add this command to your crypto card:
card crypto-address
so if you put loopback0 as the id_interface then he would use loopback0 as peering address even if the card encryption may be affected on serial0/0 or another physical interface.
HTH
Rick
-
Can I use private as Source IPs from a remote network IP addresses while building the IPSec tunnel? If not why? If so, how?
Your explanation is much appreciated.
Hi Deepak,
In such a situation, you usually NAT traffic that goes to the internet, but exempt traffic that goes through the VPN, because it will be wrapped in packages with public IP (tunnel) addresses. You can use the same IP address on your interface in the face of internet for the NAT/PAT and source of IPSEC Tunnel.
-
IPSec tunnel between a client connection mobility and WRV200
Someone has set up an IPSec tunnel between a client connection mobility and WRV200? I can't get the right configuration.
Agitation, these products are treated by the Cisco Small Business support community. Please refer to the URL: https://supportforums.cisco.com/community/netpro/small-business
-
IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and static
Hello
My problem isn't really the IPSec connection between two devices (it is already done...) But my problem is that I have a mail server on the site of Cisco, who have a static NAT from inside to outside. Due to the static NAT, I do not see the server in the VPN tunnel. I found a document that almost describes the problem:
"Configuration of a router IPSEC Tunnel private-to-private network with NAT and static" (Document ID 14144)
NAT takes place before the encryption verification!
In this document, the solution is 'routing policy' using the loopback interface. But, how can I handle this with the Netscreen firewall. Someone has an idea?
Thanks for any help
Best regards
Heiko
Hello
Try to change your static NAT with static NAT based policy.
That is to say the static NAT should not be applicable for VPN traffic
permissible static route map 1
corresponds to the IP 104
access-list 104 refuse host ip 10.1.110.10 10.1.0.0 255.255.0.0
access-list 104 allow the host ip 10.1.110.10 all
IP nat inside source static 10.1.110.10 81.222.33.90 map of static route
HTH
Kind regards
GE.
-
Public static IPsec tunnel between two routers cisco [VRF aware]
Hi all
I am trying to configure static IPsec tunnel between two routers. Router R1 has [no VRF] only global routing table.
Router R2 has two routing tables:
* vrf INET - used for internet connectivity
* global routing table - used for VPN connections
Here are the basic configs:
R1
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key 7V7u841k2D3Q7v98d6Y4z0zF address 203.0.0.3
invalid-spi-recovery crypto ISAKMP
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac TRSET_AES-256_SHA
transport mode
!
Crypto ipsec TUNNEL-IPSEC-PROTECTION profile
game of transformation-TRSET_AES-256_SHA
!
interface Loopback0
10.0.1.1 IP address 255.255.255.255
IP ospf 1 zone 0
!
interface Tunnel0
IP 192.168.255.34 255.255.255.252
IP ospf 1 zone 0
source of tunnel FastEthernet0/0
tunnel destination 203.0.0.3
ipv4 ipsec tunnel mode
Ipsec TUNNEL-IPSEC-PROTEC protection tunnel profile
!
interface FastEthernet0/0
IP 102.0.0.1 255.255.255.0!
IP route 203.0.0.3 255.255.255.255 FastEthernet0/0 102.0.0.2
#######################################################
R2
IP vrf INET
RD 1:1
!
Keyring cryptographic test vrf INET
address of pre-shared-key 102.0.0.1 key 7V7u841k2D3Q7v98d6Y4z0zF
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
invalid-spi-recovery crypto ISAKMP
crypto isakmp profile test
door-key test
function identity address 102.0.0.1 255.255.255.255
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac TRSET_AES-256_SHA
transport mode
!
Crypto ipsec TUNNEL-IPSEC-PROTECTION profile
game of transformation-TRSET_AES-256_SHA
Test Set isakmp-profile
!
interface Loopback0
IP 10.0.2.2 255.255.255.255
IP ospf 1 zone 0
!
interface Tunnel0
IP 192.168.255.33 255.255.255.252
IP ospf 1 zone 0
source of tunnel FastEthernet0/0
tunnel destination 102.0.0.1
ipv4 ipsec tunnel mode
tunnel vrf INET
Ipsec TUNNEL-IPSEC-PROTEC protection tunnel profile
!
interface FastEthernet0/0
IP vrf forwarding INET
IP 203.0.0.3 255.255.255.0!
IP route 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2
#######################################################
There is a router between R1 and R2, it is used only for connectivity:
interface FastEthernet0/0
IP 102.0.0.2 255.255.255.0
!
interface FastEthernet0/1
IP 203.0.0.2 255.255.255.0The problem that the tunnel is not coming, I can't pass through phase I.
The IPsec VPN are not my strength. So if someone could show me what mistake I make, I'd appreciate it really.
I joined ouptup #debug R2 crypto isakmp
Source and destination Tunnel0 is belong to VRF INET, the static route need to be updated.
IP route vrf INET 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2
crypto isakmp profile test
VRF INET
door-key test
function identity address 102.0.0.1 255.255.255.255 -
IPSec tunnels between duplicate LAN subnets
Hi all
Please help to connect three sites with our Central site has all the resources for users, including internet access.
The three sites will be the ASA 5505 like their WAN device.
We need to know is - it possible, allowing to configure an IPsec Tunnel between the three ASA with duplicate LAN subnets.
Central site two networks 192.168.1.x 24, 192.168.100.x 24
Distance a 24 192.168.1.x subnet
Two remote a subnet 192.168.100.x 24
If it is possible we also do hair distance one ping, above two remote to the Central Site to access internet, what sites need are on the Central Site, including e-mail, network, other resource also records.
We have no other way to make this network, as all security is on our Central Site, website filtering, Application filtering, filtering of network traffic all.
We understand that we can change two remote sites to a different subnet from the Central Site, but we have so many host devices, it will take weeks or months, so to change the MS AD domain for all users, servers too.
We really need your expertise to do this in a laboratory and then in production.
Thank you
Hello Stephen,
You can check the following links for the subnets overlap talk to each other:-
1 LAN-to-LAN IPsec VPN with overlapping networks
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080b37d0b.shtml
2 IPsec between two IOS routers with overlapping of private networks
http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a0ece4.shtml
Important point is local network must connect to the remote network via the translated addresses.
for example, you won't be ablt to use real IP of the communication.
For haripinning or turning U:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml
Hope that helps.
Kind regards
Dinesh Moudgil
-
Outgoing PAT to the IPSec Tunnel
Hello
Situation is with range of IP private tunnel of 3rd party who already uses the same private beach, but not with any of the hosts that we need to connect to. All traffic from the office to the 3rd party must be secure.
We want to configure an IPSec tunnel between the two sites (easy) and then use PAT on the PIX Office (6.3 (5)) to make all traffic office appear to be a single private address different.
We tried to do with PDM, but it insists on having no NAT (with an exclusionary rule), or static NAT, but does not seem to allow Pat.
I have attached a copy sanitized the office configuration. Any standard room in PIX have been removed for brevity
I would like constructive guidance on where I'm wrong.
See you soon
Hello
The PIX / ASA will make the NAT translation on the steps below. First, it will check if no no (order No. - nat) nat is configured, then it will check the static nat translation and finally, it will check the translation PAT.
In your configuration, there is a NAT (0) command indicating not to translate any IP of 192.168.0.0 to the remote ip address range, then the PIX won't do the translation and the package is passed to the destination.
Remove the NAT (0) command and edit list access outside_cryptomap_10 with the ip dried up to the remote ip address for this access list is responsible for interesting traffic that needs to be encrypted.
pls control and dream of return.
-
IPSEC tunnel between 2 7606 PE
I am creating an IPSec tunnel between two 7606 PE routers... get this error when I ping everywhere and if I start using the path descends LDP.
12 Nov 16:32:22.801 IS: IPSEC (key_engine): request timer shot: count = 1,.
local (identity) = 10.10.135.1, distance = 10.10.135.2.
local_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4),
remote_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4)
12 Nov 16:32:22.801 IS: IPSEC (sa_request):,.
(Eng. msg key.) Local OUTGOING = 10.10.135.1, distance = 10.10.135.2.
local_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4),
remote_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4),
Protocol = ESP, transform = NONE (Tunnel),
lifedur = 190 s and 4608000 Ko,.
SPI = 0 x 0 (0), id_conn = 0, keysize = 256, flags = 0 x 0
12 Nov 16:32:22.801 IS: ISAKMP: (0): profile of ITS application is test
12 Nov 16:32:22.801 IS: ISAKMP: created a struct peer 10.10.135.2, peer port 500
12 Nov 16:32:22.801 IS: ISAKMP: new position created post = 0x5326A08C peer_handle = 0x8000001A
12 Nov 16:32:22.801 IS: ISAKMP: lock struct 0x5326A08C, refcount 1 to peer isakmp_initiator
12 Nov 16:32:22.801 IS: ISAKMP: 500 local port, remote port 500
12 Nov 16:32:22.801 IS: ISAKMP: impossible to allocate IKE SA
12 Nov 16:32:22.801 IS: ISAKMP: Unlocking counterpart struct 0x5326A08C for isadb_unlock_peer_delete_sa(), count 0
12 Nov 16:32:22.801 IS: ISAKMP: delete peer node by peer_reap for 10.10.135.2: 5326A08C
12 Nov 16:32:22.801 IS: ISAKMP: (0): purge SA., his = 0, delme = 532E8364
PE2 #.
12 Nov 16:32:22.801 IS: ISAKMP: error during the processing of HIS application: failed to initialize SA
12 Nov 16:32:22.801 IS: ISAKMP: error while processing message KMI 0, error 2.
12 Nov 16:32:22.801 IS: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
PE2 #.
12 Nov 16:32:52.801 IS: IPSEC (key_engine): request timer shot: count = 2,.
local (identity) = 10.10.135.1, distance = 10.10.135.2.
local_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4),
remote_proxy = 10.10.0.0/255.255.0.0/0/0 (type = 4)
IPsec only is not supported on the 6500 and 7600 without module series IPsec (IPsec-SPA or VPNSM), sorry.
-
Problem with IPsec VPN between ASA and router Cisco - ping is not response
Hello
I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):
my network topology data:
LAN 1 connect ASA - 1 (inside the LAN)
PC - 10.0.1.3 255.255.255.0 10.0.1.1
ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0
-----------------------------------------------------------------
ASA - 1 Connect (LAN outide) R1
ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252
R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252
---------------------------------------------------------------------
R1 R2 to connect
R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252
R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252
R2 for lan connection 2
--------------------------------------------------------------------
R2 to connect LAN2
R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0
PC - 10.0.2.3 255.255.255.0 10.0.2.1
ASA configuration:
1 GigabitEthernet interface
nameif inside
security-level 100
IP 10.0.1.1 255.255.255.0
no downtime
interface GigabitEthernet 0
nameif outside
security-level 0
IP 172.30.1.2 255.255.255.252
no downtime
Route outside 0.0.0.0 0.0.0.0 172.30.1.1------------------------------------------------------------
access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
object obj LAN
subnet 10.0.1.0 255.255.255.0
object obj remote network
10.0.2.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static-----------------------------------------------------------
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 3600
Crypto ikev1 allow outside
crypto isakmp identity address------------------------------------------------------------
tunnel-group 172.30.2.2 type ipsec-l2l
tunnel-group 172.30.2.2 ipsec-attributes
IKEv1 pre-shared-key cisco123
Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1-------------------------------------------------------------
card crypto ASA1VPN 10 is the LAN1 to LAN2 address
card crypto ASA1VPN 10 set peer 172.30.2.2
card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
card crypto ASA1VPN set 10 security-association life seconds 3600
ASA1VPN interface card crypto outsideR2 configuration:
interface fastEthernet 0/0
IP 10.0.2.1 255.255.255.0
no downtime
interface fastEthernet 0/1
IP 172.30.2.2 255.255.255.252
no downtime-----------------------------------------------------
router RIP
version 2
Network 10.0.2.0
network 172.30.2.0------------------------------------------------------
access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
access-list 102 permit esp 172.30.1.2 host 172.30.2.2
access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
interface fastEthernet 0/1
IP access-group 102 to------------------------------------------------------
crypto ISAKMP policy 110
preshared authentication
aes encryption
sha hash
Group 2
life 42300------------------------------------------------------
ISAKMP crypto key cisco123 address 172.30.1.2-----------------------------------------------------
Crypto ipsec transform-set esp - aes 128 R2TS------------------------------------------------------
access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
------------------------------------------------------
R2VPN 10 ipsec-isakmp crypto map
match address 101
defined by peer 172.30.1.2
PFS Group1 Set
R2TS transformation game
86400 seconds, life of security association set
interface fastEthernet 0/1
card crypto R2VPNI don't know what the problem
Thank you
If the RIP is not absolutely necessary for you, try adding the default route to R2:
IP route 0.0.0.0 0.0.0.0 172.16.2.1
If you want to use RIP much, add permissions ACL 102:
access-list 102 permit udp any any eq 520
-
ASA 5505 - I can't create an IPSEC VPN between two ASA 5505
Hello
I have two ASA 5505 with basic license and I'm trying to create a VPN IPSEC using the CLI. Here are the steps I did:
1 Configure ASA-1 (host name, vlan 1 and vlan 2).
2. configure a static route
3. create object network (local and remote)
4. create the access list
5. create ikev1 crypto
6. create tunnel-group
7 Configure nat
and I repeat the steps above with the ASA but another change IP.
Are to correct the above steps?
Why can I not create an IPSEC VPN between devices?.
No, you needn't. The ASA configuration is ok. Packet trace proved it. I think it can be a problem on the hosts. Please, check the firewall on the PC and try to put out of service, if it is running.
-
IPSec tunnel between 2 routers
Hello
I am trying to configure an IPSec VPN tunnel between 2 routers Cisco, connected to the internet via the ATM interface, my router is a 1841 with the network 10.200.36.0 address the remote router is a Cisco network 192.168.9.0 address with 877.
I have tryied to follow some tutorials, unsuccessfully, because I can't always ping all IP addresses on the remote network and also the VPN tunnel is not up!
Can help you please give me a configuration model, or maybe let me know how to configure step by step on mine and remote router?
Thank you very much!
Concerning
Riccardo
Here is an example. x.x.x.x and y.y.y.y are the public IPs of routers:
ROUTER1 hostname
!
crypto ISAKMP policy 10
BA aes 256
AUTH pre
Group 5
!
ISAKMP crypto key cisco1234 address y.y.y.y
!
Crypto ipsec transform-set ESP-AES256-SHA1 esp - aes 256 esp-sha-hmac
!
Profile of crypto ipsec TunnelProfile
the transform ESP-AES256-SHA1 value
!
interface Tunnel0
IP 10.255.255.0 255.255.255.254
tunnel Dialer source 0
tunnel destination y.y.y.y
ipv4 ipsec tunnel mode
Tunnel TunnelProfile ipsec protection profile
!
interface Dialer0
IP x.x.x.x
!
IP route 192.168.9.0 255.255.255.0 Tunnel0
hostname ROUTER2
!
crypto ISAKMP policy 10
BA aes 256
AUTH pre
Group 5
!
ISAKMP crypto cisco1234 key address x.x.x.x
!
Crypto ipsec ESP-AES256-SHA1 transform-set esp - aes 256 esp-sha-hmac
!
Profile of crypto ipsec TunnelProfile
the transform ESP-AES256-SHA1 value
!
interface Tunnel0
IP 10.255.255.1 255.255.255.254
tunnel Dialer source 0
tunnel destination x.x.x.x
ipv4 ipsec tunnel mode
Tunnel TunnelProfile ipsec protection profile
!
interface Dialer0
IP address y.y.y.y
!
IP route 10.200.36.0 255.255.255.0 Tunnel0
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
Double IPSec tunnel between routers
I am facing the following challenge:
I have two routers and want to build two IPSec encapsulated between them, with the help of ASIT tunnel interfaces.
The interaces two tunnel would in that case the same source and destination ip addresses.
With a single tunnel interface defined, it works well, however, as soon as the second tunnel interface is defined, the first breaks down.
Here is an example configuration:
interface Tunnel0
IP 192.168.1.1 255.255.255.252
source of tunnel Serial1/0
tunnel destination 10.1.1.6
ipv4 ipsec tunnel mode
protection of ipsec profile ipsecprofile tunnel
!
Tunnel1 interface
IP 192.168.1.5 255.255.255.252
source of tunnel Serial1/0
tunnel destination 10.1.1.6
ipv4 ipsec tunnel mode
protection of ipsec profile ipsecprofile tunnel
!In fact, the matter is rather a conceptual issue than a direct. What is the root cause, this type of configuration does not work?
ESP protocol is the distinction between endponits ESP SAs based on SPI identifier as well, isn't? If so, what is wrong here?
Thanks in advance...
Hi Frank,.
As a general rule, you cannot have two interfaces of tunnel with the same tunnel source (series 1/0) and destinations (10.1.1.6) tunnel; with the same method (ipv4) tunel.
The work around that would be to bounce one of the tunnels on a loopback interface.
This tunnel 1: tunnel_interface_1 - series 1/0---internet---10.1.1.6
and tunnel 2: tunnel_interface_2---loopback---serial1/0---internet---10.1.1.6
In this way the two tunnels can be up at the same time.
I hope this helps.
-Shrikant
P.S.: Please check question one answer, if it has been resolved. Note the useful messages. Thank you.
Maybe you are looking for
-
Hi, I went through some examples to compare the strings, but I'm having a doubt. These are the two strings in the need to compare for example: FE1122334455667788FE and FE FE 11 22 33 44 55 66 77 88 I used the basic equal expression, but also the Matc
-
Error code security update for Windows Vista (KB971486) _ 80070570
Please help im a little new and don't understand
-
HP pavillion (don't know who): Hard reset - system cooling fan problem
When I turn on my laptop a message indicating that there is a problem with the cooling system etc., (90 b system fan) fan I followed some instructions online include blowing through vents to try and remove any dust or dirt build up, the next time I t
-
not a windows32 application valid
I downloaded a form of social security, I need to print when I try to open the file, it says that the file is not an application valid windows 32 means that means
-
How we can stop to generate multi invoice to receive a delivery ID?
Hello Experts,How we can stop to generate multi invoice to receive a delivery ID?