06-01-2012 03:35 AM - edited 03-04-2019 04:32 PM
Hello,
I have an issue I would like to seek help with. I have 2 ISPs terminating on 2 FE ports on my 2811 router.
ISP1 had always been here, used for the following:
We recently got a second ISP, mainly for the following:
So far, ISP1 and all the above service have worked based on the config below. However, having added ISP2, I have not been able to successfully create the site-to-site VPN tunnels. I keep getting some sort of routing error issue. I am already thinking of moving all my VPN access to the new ISP, but that would be after a while as I need to resolve this particular issue urgently.
I would greatly appreciate any feedback and recommendation on this issue.
version 12.4
!
ip source-route
!
ip cef
!
ip name-server 4.2.2.2
ip name-server 137.65.1.1
ip inspect WAAS enable
no ipv6 cef
!
isdn switch-type primary-qsig
!
crypto isakmp policy 4
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 6
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxx address 4.190.1.25
crypto isakmp key xxxxx address 4.164.7.170
crypto isakmp key xxxxx address 4.58.130.130
crypto isakmp key xxxxx address 1.46.241.129
!
crypto isakmp client configuration group TR
key xxxxx
pool SDM_POOL_1
acl 101
max-users 2
!
crypto isakmp client configuration group EN
key xxxxx
pool SDM_POOL_2
max-users 2
crypto isakmp profile ciscocp-ike-profile-1
match identity group TR
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto isakmp profile ciscocp-ike-profile-2
match identity group EN
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set NI esp-3des esp-md5-hmac
crypto ipsec transform-set ET esp-3des esp-sha-hmac
crypto ipsec transform-set AT esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 21600
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-2
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description VPN Tunnel to ET on 4.190.1.25
set peer 4.190.1.25
set transform-set ET
match address ET
crypto map SDM_CMAP_1 2 ipsec-isakmp
description VPN Tunnel to AT on 1.46.241.129
set peer 1.46.241.129
set transform-set AT
match address AT
crypto map SDM_CMAP_1 3 ipsec-isakmp
description VPN Tunnel to NI on 4.58.130.130
set peer 4.58.130.130
set transform-set NI
set pfs group5
match address NI
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description PROD VPN Tunnel to NI
set peer 4.58.130.130
set transform-set NI
set pfs group5
match address NI_PROD
!
!
!
interface Loopback1
ip address 2.173.40.203 255.255.255.255
!
interface Loopback3
ip address 2.173.42.81 255.255.255.255
!
interface Loopback10
ip address 2.173.42.91 255.255.255.255
!
interface FastEthernet0/0
description LAN_UAT_INTERFACE
no ip address
ip flow ingress
duplex auto
speed auto
!
interface FastEthernet0/0.100
description VOICE VLAN ZONE$ETH-LAN$
encapsulation dot1Q 100
ip address 10.1.1.1 255.255.255.0
ip helper-address 172.16.0.101
ip flow ingress
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.200
description DATA VLAN ZONE$ETH-LAN$
encapsulation dot1Q 200
ip address 172.16.0.1 255.255.254.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.300
description UAT_DMZ_ZONE
encapsulation dot1Q 300
ip address 192.168.100.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.400
description UAT_SECURE_ZONE
encapsulation dot1Q 400
ip address 10.135.17.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.500
description UAT_INTCON_ZONE
encapsulation dot1Q 500
ip address 172.30.50.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1
description ISP1 WAN INTERFACE$ETH-WAN$
ip address 2.173.42.66 255.255.255.252
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
auto discovery qos
crypto map SDM_CMAP_1
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface FastEthernet0/2/0
description ISP2_WAN_INTERFACE
ip address 8.248.12.94 255.255.255.192
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
auto discovery qos
crypto map SDM_CMAP_2
!
interface FastEthernet0/2/1
description PROD_INTERFACE
no ip address
ip flow ingress
duplex auto
speed auto
!
interface FastEthernet0/2/1.601
description PROD_DMZ_ZONE
encapsulation dot1Q 601
ip address 192.168.255.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/2/1.602
description PROD_SECURE_ZONE
encapsulation dot1Q 602
ip address 10.149.57.1 255.255.255.0
ip flow ingress
ip virtual-reassembly
!
interface FastEthernet0/2/1.603
description PROD_INTCON_ZONE
encapsulation dot1Q 603
ip address 172.19.205.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0.500
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0/0.500
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile2
!
interface Vlan1
no ip address
!
ip local pool SDM_POOL_1 172.30.50.11 172.30.50.12
ip local pool SDM_POOL_2 172.30.50.13 172.30.50.14
ip forward-protocol nd
!
ip route 0.0.0.0 0.0.0.0 2.173.42.65
!
ip flow-cache timeout active 1
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 172.16.1.2 9996
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 1
!
ip nat inside source static tcp 172.16.0.105 80 interface FastEthernet0/1 80
ip nat inside source static tcp 172.16.0.105 8080 interface FastEthernet0/1 8080
ip nat inside source list 100 interface Loopback10 overload
ip nat inside source static 192.168.100.4 2.173.40.202 route-map NoNAT
ip nat inside source static tcp 192.168.100.2 80 2.173.42.80 80 extendable
ip nat inside source static tcp 192.168.100.2 81 2.173.42.80 81 extendable
ip nat inside source static tcp 192.168.100.2 443 2.173.42.80 443 extendable
ip nat inside source static tcp 192.168.100.2 8080 2.173.42.80 8080 extendable
ip nat inside source static tcp 192.168.100.2 8443 2.173.42.80 8443 extendable
ip nat inside source static 172.30.50.2 2.173.42.81 route-map NoNAT reversible
ip nat inside source static 172.16.0.106 2.173.42.82 extendable
ip nat inside source static 192.168.100.5 2.173.42.83 route-map NoNAT
ip nat inside source static tcp 192.168.255.71 80 8.248.12.95 80 extendable
ip nat inside source static tcp 192.168.255.71 81 8.248.12.95 81 extendable
ip nat inside source static tcp 192.168.255.71 443 8.248.12.95 443 extendable
ip nat inside source static tcp 192.168.255.71 8080 8.248.12.95 8080 extendable
ip nat inside source static tcp 192.168.255.71 8443 8.248.12.95 8443 extendable
!
ip access-list extended AT
permit ip host 2.173.42.83 host 1.46.241.75
permit ip host 2.173.42.83 host 1.46.241.76
permit ip host 2.173.42.83 host 1.46.241.77
permit ip host 2.173.42.83 host 1.46.241.82
permit ip host 2.173.42.83 host 1.46.241.45
permit ip host 2.173.42.83 host 1.46.241.18
ip access-list extended ET
permit ip host 192.168.100.4 host 10.71.128.47
permit ip host 192.168.100.4 host 10.71.128.83
permit ip host 192.168.100.5 host 10.71.128.47
permit ip host 192.168.100.5 host 10.71.128.83
ip access-list extended NI
permit ip host 172.30.50.2 host 41.58.130.138
ip access-list extended NI_PROD
permit ip host 172.19.205.31 host 41.58.130.134
ip access-list extended NoNAT
deny ip host 192.168.100.4 host 10.71.128.47
deny ip host 192.168.100.4 host 10.71.128.83
deny ip host 172.30.50.2 host 4.58.130.138
permit ip host 192.168.100.4 any
permit ip host 172.30.50.2 any
permit ip host 192.168.100.5 any
!
access-list 23 remark Access List Restricting Router's http access to only the IP Phones
access-list 23 permit 10.1.1.0 0.0.0.255
access-list 23 permit 172.16.0.0 0.0.1.255
access-list 100 remark CCP_ACL Category=18
access-list 100 permit ip host 172.16.0.86 any
access-list 100 permit ip 172.16.0.0 0.0.1.255 any
access-list 100 permit tcp 172.16.0.0 0.0.1.255 any
access-list 100 permit udp any host 172.16.0.1 eq non500-isakmp
access-list 100 permit udp any host 172.16.0.1 eq isakmp
access-list 100 permit esp any host 172.16.0.1
access-list 100 permit ahp any host 172.16.0.1
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit udp 172.16.0.0 0.0.1.255 any
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 100 permit tcp 10.1.1.0 0.0.0.255 any
access-list 100 permit udp 10.1.1.0 0.0.0.255 any
access-list 100 permit ip 10.135.17.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 172.30.50.0 0.0.0.255 any
access-list 110 permit ip 172.16.0.0 0.0.1.255 any
access-list 111 permit tcp any host 192.168.100.2
access-list 111 permit tcp any host 192.168.255.71
access-list 112 permit tcp any host 192.168.100.4 eq 20010
access-list 112 permit tcp any host 192.168.100.4 eq 22
access-list 119 permit ip any any
!
!
route-map NoNAT permit 10
match ip address NoNAT
!
Whenver I try to establish a tunnel on SDM_CMAP_2 and run a test using CCP, I get 2 failure reasons:
1. The peer must be routed through the crypto map interface. The following peer(s) are routed through non-crypto map interface - 4.58.130.130
2. The tunnel traffic destination must be routed through the crypto map interface. The following destinations are routed through non-crypto map interface - 4.58.130.134
Please note that the tunnels on SDM_CMAP_1 are all active
Do I need to include a default route for the second ISP on the router? If so, how do I get this done? When I tried it, I had loops on the user LAN segment of the network.
Regards,
Femi
06-01-2012 04:09 AM
Hi
you need BGP to both providers, also provider independent network and AS
06-01-2012 04:12 AM
Hello,
Thanks for the feedback. I am not very strong in routing, do you mind explaining a bit more in detail how to achieve setting up BGP to both ISPs, and all the other suggestions you made?
Regards,
Femi
06-13-2012 10:34 AM
Hello,
So i finally got this to work using IP VRF. Below is the config applied:
ip vrf PROD_INTCON
rd 100:1
route-target export 100:1
route-target import 100:1
!
ip vrf ISP2
rd 101:1
route-target export 101:1
route-target import 101:1
!
!
crypto keyring NI2-keyring vrf ISP2
pre-shared-key address a.b.130.130 key xxxxx
!
crypto isakmp policy 4
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 6
encr 3des
authentication pre-share
group 2
!
crypto isakmp profile NI2-profile
vrf PROD_INTCON
keyring NI2-keyring
match identity address a.b.130.130 255.255.255.255 ISP2
isakmp authorization list default
!
crypto ipsec transform-set NI2set esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description PROD VPN Tunnel to NI2
set peer a.b.130.130
set transform-set NI2set
set pfs group5
set isakmp-profile NI2-profile
match address NI2_ACL
reverse-route
!
!
interface FastEthernet0/2/0
ip vrf forwarding ISP2
ip address z.y.12.94 255.255.255.192
crypto map SDM_CMAP_2
!
!
interface FastEthernet0/2/1.603
description PROD_INTCON_ZONE
encapsulation dot1Q 603
ip vrf forwarding PROD_INTCON
ip address 172.19.205.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
!
!
ip route vrf ISP2 0.0.0.0 0.0.0.0 z.y.12.65
ip route vrf PROD_INTCON a.b.130.134 255.255.255.255 FastEthernet0/2/0 z.y.12.65
!
ip access-list extended NI2_ACL
permit ip host 172.19.205.31 host a.b.130.134
!
Hope it helps someone. More info about IP VRF here:
https://supportforums.cisco.com/docs/DOC-13524
Regards,
Femi
06-19-2012 08:09 PM
Hello,
I have a similar config working with specific route to the peers
if you had a command :
ip route 4.58.130.130 255.255.255.255 interface FastEthernet0/2/0
then your tunnel should shows up.
But when I looked to your config, I see this peer linked to the 2 Crypto map. I am not sure you can do load balancng like this between 2 ISP for VPN Connections.
Jean-Luc
06-23-2012 12:02 AM
Hello Jean-Luc,
Thank you for your comment.
The thing is that I have 2 VPNs originiating from my router to that 4.58.130.130 peer IP. The 2 VPNs are for different environments on my network. And both VPNs are going through different ISPs as I had stated. Adding the command you have suggested will force all traffic to that peer IP over the FE0/2/0 interface which isnt what I want.
Also, I do not intend to do load balancing on both ISPs. They are for two different environments like I said and will not be shared between those environments.
Regards,
Femi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide