cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
887
Views
0
Helpful
6
Replies

Adding an additional IPSEC Peer

dhopper82
Level 1
Level 1

We are in the process of adding an additional ISP to our corporate network.  When we do so the ASA we use will connect with our WAN sites (Cisco 2811's and I know we need to upgrade!) with the current NAT'd IP (7.7.7.7 for this question) and also the new one (8.8.8.8).  I need to know a way to add the additional ISP Ip into our WAN site routers so it will accept either the existing IP or the new one.  Here is our WAN site router current setup....

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp key examplekey1! address 7.7.7.7

crypto isakmp keepalive 10 5 periodic

!

!

crypto ipsec transform-set aptset esp-aes 256 esp-sha-hmac

!

crypto map aptmap 10 ipsec-isakmp

set peer 7.7.7.7

set transform-set aptset

set pfs group5

match address IPSec

!

!

ip access-list extended IPSec

permit ip 10.2.2.0 0.0.0.255 any (Site IP range)

What would I add for the additional NAT'd IP (8.8.8.8)???

Note: the ASA that has all of our tunnels will be behind a load balancer so all it will be looking for is the tunnel coming into one of its interfaces.

                  

Thanks in advance!

6 Replies 6

Edison Ortiz
Hall of Fame
Hall of Fame

crypto isakmp key examplekey1! address 8.8.8.8

crypto map aptmap 20 ipsec-isakmp

set peer 8.8.8.8

set transform-set aptset

set pfs group5

match address newacl (would you be matching the same traffic? I don't think you could load-share the traffic)

Edison,

I could do it that way if needed.  If I remember right there was someway to do the set peer with a name

set peer IPSEC

I just can't remember it...

The suggestion from Edison is the classic way to define a second tunnel on the 2811 router. And it works very well as long as the two tunnels go to separate destinations. But if I read your posts correctly it is the same single 2811 as source going to the same ASA as destination. In that case I do not believe that two separate tunnels will work. There is a way to have two peer statements within the same instance of the crypto map and I believe that is what you need for the 2811. The config might look something like this:

crypto map aptmap 10 ipsec-isakmp

set peer 7.7.7.7

set peer 8.8.8.8

set transform-set aptset

set pfs group5

match address IPSec

HTH

Rick

HTH

Rick

That would work but the question is would it attempt to build out two tunnels to the same device?

It is my understanding that if you configure what I have suggested with two peer statements in one instance of the crypto map that the router will build one tunnel (not two) and that it will try the first peer address. If the first peer address works then the tunnel comes up. If there is a problem with the first peer address then the router tries the second peer address. So in effect it gives you a fail over mechanism.

HTH

Rick

HTH

Rick

Is there a way anyone knows of to set up the IPSec so that the IP addresses are equal?  Say, create a pool somehow and put both addresses in it then put the name of the pool in as the peer?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco