07-23-2012 11:06 PM - edited 03-04-2019 05:03 PM
The setup is a S2S VPN with failover to 3G HWIC in a Cisco 1941 however the IPSEC tunnel needs to remain up through 3G if ADSL fails.
The failover works ok, however when plugging ADSL back in, the - "sh crypto session" shows both dialer 0, and dialer 1 with the crypto map session to the other side of the VPN and either side is now not pingable.
The NoIP DDNS updater client runs on a server in the network and all IP resolution to host1,host2 works ok
(other side of VPN is Cisco 1921 with ADSL HWIC and 3G HWIC)
Any assistance would be greatly appreciated-
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname LAB
!
boot-start-marker
boot-end-marker
!
logging buffered 16000
!
no aaa new-model
!
!
memory-size iomem 10
!
no ipv6 cef
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.20.1
!
ip dhcp pool LAN_POOL
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
dns-server 8.8.8.8
!
!
no ip bootp server
ip domain name host1.hopto.org
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
chat-script extranet "" ATDT*98*1#" TIMEOUT 30 CONNECT
!
!
username xxxxxxxx privilege 15 secret xxxxxxxxxxx
!
redundancy
!
!
ip ssh version 2
!
track 234 ip sla 1 reachability
delay down 5 up 5
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxx hostname host2.hopto.org
crypto isakmp profile IPSEC_PROFILE
keyring default
self-identity fqdn host1.hopto.org
match identity host host2.hopto.org
initiate mode aggressive
!
!
crypto ipsec transform-set site2site esp-3des esp-sha-hmac
!
crypto map VPN-Network 1 ipsec-isakmp
description Tunnel to xxxxx
set peer host2.hopto.org dynamic
set transform-set site2site
set isakmp-profile IPSEC_PROFILE
match address 100
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface ATM0/0/0
bandwidth 20000
no ip address
load-interval 30
no atm ilmi-keepalive
!
hold-queue 224 in
!
interface ATM0/0/0.1 point-to-point
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface Cellular0/1/0
no ip address
ip nat outside
ip virtual-reassembly
encapsulation ppp
load-interval 60
dialer in-band
dialer pool-member 1
async mode interactive
no fair-queue
!
!
interface Dialer0
description Primary ADSL Link
ip address negotiated
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
dialer pool 2
ppp authentication chap callin
ppp chap hostname xxxxxxx
ppp chap password xxxxxxx
no cdp enable
crypto map VPN-Network
!
!
interface Dialer1
description 3G BACKUP LINK
ip address negotiated
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string extranet
dialer persistent
ppp authentication chap callin
ppp chap hostname xxxxxx
ppp chap password xxxxxx
no fair-queue
no cdp enable
crypto map VPN-Network
!
!
ip local policy route-map track-primary-if
ip forward-protocol nd
!
ip http server
ip http access-class 22
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
ip nat inside source route-map nat2cell interface Dialer1 overload
ip nat inside source route-map nat2dsl interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 track 234
ip route 0.0.0.0 0.0.0.0 Dialer1 200
!
ip sla 1
icmp-echo 1.1.1.1 source-interface Dialer0
frequency 5
ip sla schedule 1 life forever start-time now
!
access-list 22 permit 10.10.10.0 0.0.0.255
access-list 100 permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 10.10.20.0 0.0.0.255 any
access-list 110 permit icmp any host 1.1.1.1
!
no cdp run
!
!
route-map track-primary-if permit 10
match ip address 110
set interface Dialer0
!
route-map nat2dsl permit 10
match ip address 101
set interface Dialer0
!
route-map nat2cell permit 10
match ip address 101
match interface Dialer1
!
!
snmp-server community xxxxx RO
!
control-plane
!
!
banner login ^C
***********************************************************************
* Access to this computer system is limited to authorised users only. *
* Unauthorised users may be subject to prosecution under the Crimes *
* Act or State legislation *
* *
* Please note, ALL CUSTOMER DETAILS are confidential and must *
* not be disclosed. *
***********************************************************************
^C
!
line con 0
transport output all
line aux 0
transport output all
line 0/1/0
exec-timeout 20 0
script dialer extranet
modem InOut
no exec
transport input all
rxspeed 7200000
txspeed 2000000
line vty 0 2
access-class 22 in
exec-timeout 20 0
login local
transport input telnet
line vty 3 4
exec-timeout 20 0
login local
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
!
event manager applet pri_back
event track 234 state any
action 2.0 cli command "clear ip nat trans forced"
!
end
07-23-2012 11:28 PM
Hi,
Is this a typo ?
route-map nat2dsl permit 10
match ip address 101
set interface Dialer0
Regards.
Alain.
Don't forget to rate helpful posts.
07-24-2012 12:04 AM
Gee, I hope that was all it was, I'll test and let you know. I think you're referring to the "route-map nat2cell permit 10" and not the "route-map nat2dsl permit 10" however? The "match" is incorrect.
07-25-2012 07:48 AM
On second thoughts, which logic is correct?
route-map nat2dsl permit 10
match ip address 101
match interface Dialer0
or
route-map nat2dsl permit 10
match ip address 101
set interface Dialer0
07-25-2012 01:40 PM
Hi,
if the route-map is used for NAT then the correct statement is match because the set command is use for example in PBR.
Regards
Alain
Don't forget to rate helpful posts.
08-13-2012 08:14 PM
Right!
Ok that part, ie the 3G failover appears ok however, even what applying Dynamic DNS config to the router, the best I can time is a 3 minute failover before the VPN tunnel kicks back in if either side drops.
DDNS added as follows (names changed)-
ip ddns update method mymethod
HTTP
add http://USER:PASSWORD@dynupdate.no-ip.com/nic/update?hostname=HOST1.HOPTO.ORG&myip=PASSWORD@dynupdate.no-ip.com/nic/update?hostname=HOST1.HOPTO.ORG&myip=
interval maximum 2 0 0 0
int d0
ip ddns update hostname host1.hopto.org
ip ddns update mymethod
int d1
ip ddns update hostname host1.hopto.org
ip ddns update mymethod
When failover to 3G occurs and when host1.hopto.org is then pingable again from the internet (using 3G), the VPN tunnel still takes a long time to re-establish, however it does work.
Can the IPSEC timers be set more aggressively?
"keepalive 10 retry 2" has already been added under "crypto iakmp profile IPVAS_PROFILE"
"clearing crypto session" on BOTH sides solves problem immediately and VPN comes up but otherwise it will take around 3-3.5 mins.
Any help will be appreciated.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: