1941 ADSL failover to 3G HWIC with IPSEC VPN - DDNS -- IP SLA

cco4mike1 · ‎07-23-2012

The setup is a S2S VPN with failover to 3G HWIC in a Cisco 1941 however the IPSEC tunnel needs to remain up through 3G if ADSL fails.

The failover works ok, however when plugging ADSL back in, the - "sh crypto session" shows both dialer 0, and dialer 1 with the crypto map session to the other side of the VPN and either side is now not pingable.

The NoIP DDNS updater client runs on a server in the network and all IP resolution to host1,host2 works ok

(other side of VPN is Cisco 1921 with ADSL HWIC and 3G HWIC)

Any assistance would be greatly appreciated-

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname LAB

!

boot-start-marker

boot-end-marker

!

logging buffered 16000

!

no aaa new-model

!

memory-size iomem 10

!

no ipv6 cef

no ip source-route

ip cef

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.20.1

!

ip dhcp pool LAN_POOL

network 10.10.20.0 255.255.255.0

default-router 10.10.20.1

dns-server 8.8.8.8

!

no ip bootp server

ip domain name host1.hopto.org

ip name-server 8.8.8.8

!

multilink bundle-name authenticated

!

chat-script extranet "" ATDT*98*1#" TIMEOUT 30 CONNECT

!

username xxxxxxxx privilege 15 secret xxxxxxxxxxx

!

redundancy

!

ip ssh version 2

!

track 234 ip sla 1 reachability

delay down 5 up 5

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxx hostname host2.hopto.org

crypto isakmp profile IPSEC_PROFILE

keyring default

self-identity fqdn host1.hopto.org

match identity host host2.hopto.org

initiate mode aggressive

!

crypto ipsec transform-set site2site esp-3des esp-sha-hmac

!

crypto map VPN-Network 1 ipsec-isakmp

description Tunnel to xxxxx

set peer host2.hopto.org dynamic

set transform-set site2site

set isakmp-profile IPSEC_PROFILE

match address 100

!

interface GigabitEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 10.10.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface ATM0/0/0

bandwidth 20000

no ip address

load-interval 30

no atm ilmi-keepalive

!

hold-queue 224 in

!

interface ATM0/0/0.1 point-to-point

pvc 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 2

!

interface Cellular0/1/0

no ip address

ip nat outside

ip virtual-reassembly

encapsulation ppp

load-interval 60

dialer in-band

dialer pool-member 1

async mode interactive

no fair-queue

!

interface Dialer0

description Primary ADSL Link

ip address negotiated

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

encapsulation ppp

no ip route-cache cef

dialer pool 2

ppp authentication chap callin

ppp chap hostname xxxxxxx

ppp chap password xxxxxxx

no cdp enable

crypto map VPN-Network

!

interface Dialer1

description 3G BACKUP LINK

ip address negotiated

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer idle-timeout 0

dialer string extranet

dialer persistent

ppp authentication chap callin

ppp chap hostname xxxxxx

ppp chap password xxxxxx

no fair-queue

no cdp enable

crypto map VPN-Network

!

ip local policy route-map track-primary-if

ip forward-protocol nd

!

ip http server

ip http access-class 22

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

!

ip nat inside source route-map nat2cell interface Dialer1 overload

ip nat inside source route-map nat2dsl interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0 track 234

ip route 0.0.0.0 0.0.0.0 Dialer1 200

!

ip sla 1

icmp-echo 1.1.1.1 source-interface Dialer0

frequency 5

ip sla schedule 1 life forever start-time now

!

access-list 22 permit 10.10.10.0 0.0.0.255

access-list 100 permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 101 permit ip 10.10.20.0 0.0.0.255 any

access-list 110 permit icmp any host 1.1.1.1

!

no cdp run

!

route-map track-primary-if permit 10

match ip address 110

set interface Dialer0

!

route-map nat2dsl permit 10

match ip address 101

set interface Dialer0

!

route-map nat2cell permit 10

match ip address 101

match interface Dialer1

!

snmp-server community xxxxx RO

!

control-plane

!

banner login ^C

***********************************************************************

* Access to this computer system is limited to authorised users only. *

* Unauthorised users may be subject to prosecution under the Crimes *

* Act or State legislation *

* *

* Please note, ALL CUSTOMER DETAILS are confidential and must *

* not be disclosed. *

***********************************************************************

^C

!

line con 0

transport output all

line aux 0

transport output all

line 0/1/0

exec-timeout 20 0

script dialer extranet

modem InOut

no exec

transport input all

rxspeed 7200000

txspeed 2000000

line vty 0 2

access-class 22 in

exec-timeout 20 0

login local

transport input telnet

line vty 3 4

exec-timeout 20 0

login local

transport input ssh

!

scheduler max-task-time 5000

scheduler allocate 20000 1000

!

event manager applet pri_back

event track 234 state any

action 2.0 cli command "clear ip nat trans forced"

!

end

cadet alain · ‎07-23-2012

Hi,

Is this a typo ?

route-map nat2dsl permit 10

match ip address 101

set interface Dialer0

Regards.

Alain.

Don't forget to rate helpful posts.

cco4mike1 · ‎07-24-2012

Gee, I hope that was all it was, I'll test and let you know. I think you're referring to the "route-map nat2cell permit 10" and not the "route-map nat2dsl permit 10" however? The "match" is incorrect.

cco4mike1 · ‎07-25-2012

On second thoughts, which logic is correct?

route-map nat2dsl permit 10

match ip address 101

match interface Dialer0

or

route-map nat2dsl permit 10

match ip address 101

set interface Dialer0

cadet alain · ‎07-25-2012

Hi,

if the route-map is used for NAT then the correct statement is match because the set command is use for example in PBR.

Regards

Alain

Don't forget to rate helpful posts.

cco4mike1 · ‎08-13-2012

Right!

Ok that part, ie the 3G failover appears ok however, even what applying Dynamic DNS config to the router, the best I can time is a 3 minute failover before the VPN tunnel kicks back in if either side drops.

DDNS added as follows (names changed)-

ip ddns update method mymethod

HTTP

add http://USER:PASSWORD@dynupdate.no-ip.com/nic/update?hostname=HOST1.HOPTO.ORG&myip=PASSWORD@dynupdate.no-ip.com/nic/update?hostname=HOST1.HOPTO.ORG&myip=

interval maximum 2 0 0 0

int d0

ip ddns update hostname host1.hopto.org

ip ddns update mymethod

int d1

ip ddns update hostname host1.hopto.org

ip ddns update mymethod

When failover to 3G occurs and when host1.hopto.org is then pingable again from the internet (using 3G), the VPN tunnel still takes a long time to re-establish, however it does work.

Can the IPSEC timers be set more aggressively?

"keepalive 10 retry 2" has already been added under "crypto iakmp profile IPVAS_PROFILE"

"clearing crypto session" on BOTH sides solves problem immediately and VPN comes up but otherwise it will take around 3-3.5 mins.

Any help will be appreciated.