Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
414
Views
0
Helpful
3
Replies

Dual DHCP WAN and IPSec

Go to solution
GeoPo
Level 1
Level 1

‎09-13-2024 09:30 AM - edited ‎09-13-2024 09:39 AM

Hello All.

I have a 931 with two WAN links, both are DHCP, and I'm having issues bringing up a number of site-to-site IPSec Tunnels. It consists of 4 tunnels - one to each datacentre, over each WAN, as such;
WAN 1 > DC 1 (i.e 1.1.1.1)
WAN 1 > DC 2 (i.e 1.1.1.2)
WAN 2 > DC 1 (i.e 1.1.1.1)
WAN 2 > DC 2 (i.e 1.1.1.2)

Obviously I need routes in order to get these tunnels up, but if I allow the default route to be populated by the WAN DHCP leases, then two tunnels will succeed, and the other two will fail, as they will all route over the same WAN interface, whichever is picked as the primary default route.

If I use a static routes, I have a similar problem where the routes will match the destinations, and all traffic will be routed out a single WAN interface. For example;
ip route 1.1.1.1 255.255.255.255 interface g0
ip route 1.1.1.2 255.255.255.255 interface g0
ip route 1.1.1.1 255.255.255.255 interface g1
ip route 1.1.1.2 255.255.255.255 interface g1

I have played around with route-maps, but struggling to find compatible match and set atributes because the WAN interface addresses and gateways are all aquired via DHCP.

The tunnel interfaces are configured with a source address of the physical interface i.e tunnel source GigabitEthernet0

How would you recommend overcoming this issue? Any help greatly appreciated.

TLDR; How do I force IPSec Tunnels to the same destination route over alternate WAN links.

Thanks for reading.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎09-13-2024 10:01 AM

You can use LO in both site 

Then use vti as use LO as source and destiantion of tunnel.

This will make IPsec undependable of WAN 

MHM

View solution in original post

0 Helpful
3 Replies 3

Go to solution
MHM Cisco World
VIP
VIP

‎09-13-2024 10:01 AM

You can use LO in both site 

Then use vti as use LO as source and destiantion of tunnel.

This will make IPsec undependable of WAN 

MHM

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎09-14-2024 06:40 AM

"This will make IPsec undependable of WAN"

For clarification, believe MHM is saying "This will make IPsec independent of WAN (addresses)".

0 Helpful

Go to solution
paul driver
VIP
VIP

‎09-14-2024 04:37 AM

Hello
can you elaborate a little on the topology
you have a single rtr with dual wan links
and you wish to create 4 tunnels to the same  two destinations addressing via both of these two transit wan links.

are these wan links internet facing or running over private enterprise network?
May I ask why 4 tunnels when you only have two destinations and a single rtr ?

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card