Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1092
Views
5
Helpful
6
Replies

IPsec two Peers configuration

Hamada Ahmed
Level 1
Level 1

‎12-08-2020 09:06 AM

Dears,

 

If I have HQ and DR, and some subnets in HQ and other in DR.

If i configured under crypto map two peers to HQ and DR, it will initiate tunnel to the HQ and DR, or Crypto map will prefer the first peer only?

Also how to solve this ( i want to create two tunnels to HQ and DR and if branch want to talk to DR subnet will go through DR tunnel and if branch want to talk to HQ subnet , will go through HQ tunnel)?

 

Labels:
0 Helpful
6 Replies 6

Georg Pauwen
VIP
VIP

‎12-08-2020 09:45 AM

Hello,

 

what are we dealing with, a DMVPN ?

Hamada Ahmed
Level 1
Level 1
In response to Georg Pauwen

‎12-08-2020 09:58 AM

No , we just need to have P2P encrypted tunnel

0 Helpful

Hamada Ahmed
Level 1
Level 1
In response to Hamada Ahmed

‎12-08-2020 10:10 AM

!
crypto isakmp policy 10
encryption 3des
authentication pre-share
group 2
crypto isakmp key HollyMaya address 201.99.24.2
crypto ipsec transform-set esp-aes esp-aes esp-sha-hmac
mode tunnel
crypto map HollyMayaMap 10 ipsec-isakmp
set peer 201.99.24.2  HQ

set Peer 201.99.24.5  DR, I need to add this second peer IP, 
set transform-set esp-aes
match address 100
interface Ethernet0/0
crypto map HollyMayaMap

0 Helpful

Georg Pauwen
VIP
VIP
In response to Hamada Ahmed

‎12-08-2020 12:56 PM

Hello,

 

add the 'default' keyword to the first peer, that will make it the preferred peer:

 

crypto isakmp policy 10
encryption 3des
authentication pre-share
group 2
crypto isakmp key HollyMaya address 201.99.24.2
crypto ipsec transform-set esp-aes esp-aes esp-sha-hmac
mode tunnel
crypto map HollyMayaMap 10 ipsec-isakmp
set peer 201.99.24.2 default

set Peer 201.99.24.5
set transform-set esp-aes
match address 100
interface Ethernet0/0
crypto map HollyMayaMap

 

If you want certain traffic to go through the other peer, create a new tunnel and crypto map matches the desired traffic flow.

0 Helpful

Hamada Ahmed
Level 1
Level 1
In response to Georg Pauwen

‎12-08-2020 01:04 PM

Could I have example for certain traffic go through second peer with new tunnel? 

 

0 Helpful

MHM Cisco World
VIP
VIP

‎12-08-2020 12:32 PM - edited ‎12-08-2020 01:45 PM

Prefer first one if it failed it will choose second one,

other solution is 

config two tunnel share same tunnel source but different tunnel destination and config ipsec profile with share keyword one both tunnel.

this ipsec over tunnel is route based so

any route through tunnel one will be protect and pass through this tunnel.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card