Running ipsec tunnel mode and transport mode concurrently

Dave Ng · ‎12-18-2012

Hi,

We've a network routing connecting to a MPLS link for our extranet connection to our external business partners. The network traffic are all encrypted using IPSec between us and the external business partners' site, using transport mode.

We have a new partner who would like to establish IPSec connectivity with us over the MPLS network and have two routers (with active and backup) MPLS links.

We would like to configure two IPSec tunnels with the new partner, one primary tunnel to the primary router and one secondary tunnel to the secondary router. To track the availability of the remote peer, we would like to run the IPSec using tunnel mode for the IPSec connection.

May I know if anyone have manage to run both tunnel and transport mode concurrently on the router? If there are better way to design this, please advise as we will like to keep this as simple as possible..

============================================================================================

Extract of configuration

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

!

crypto isakmp key partnerA address 1.1.1.1

crypto isakmp key newpartner1 address 198.1.2.6

crypto isakmp key newpartner2 address 198.1.2.10

crypto isakmp nat keepalive 20

!

crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac

crypto ipsec transform-set VPN_tunnel_mode esp-3des esp-sha-hmac

!

crypto ipsec profile VTI

set transform-set VPN_tunnel_mode

!

crypto map vpn local-address Loopback1

crypto map vpn 10 ipsec-isakmp

description partner A

set peer 1.1.1.1

set transform-set aes

match address 110

!

interface Loopback1

description crypto loopback interface

ip address 10.1.65.1 255.255.255.255

!

interface GigabitEthernet0/0

description WAN connection to MPLS

ip address 198.1.2.66 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex full

speed 100

crypto map vpn

!

interface GigabitEthernet0/1

description LAN connection

ip address 10.1.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex full

speed 100

!

interface Tunnel0

ip unnumbered GigabitEthernet0/0

tunnel source 10.1.65.1

tunnel destination 198.1.2.6

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

!

interface Tunnel1

ip unnumbered GigabitEthernet0/0

tunnel source 10.1.65.1

tunnel destination 198.1.2.10

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

!

ip route 0.0.0.0 0.0.0.0 198.1.2.65 name MPLS_PE

ip route 10.0.0.0 255.255.224.0 10.1.2.254 name internal

ip route 198.1.3.0 255.255.255.0 Tunnel 0 track 10 name newpartner_LAN

ip route 198.1.3.0 255.255.255.0 Tunnel 1 track 20 100 name newpartner_LAN

!

ip sla 10

icmp-echo 198.1.2.6 source-interface loopback1

frequency 5

!

ip sla 20

icmp-echo 198.1.2.10 source-interface loopback1

frequency 5

!

ip sla schedule 10 life forever start-time vow

ip sla schedule 20 life forever start-time vow

!

david.tran · ‎12-18-2012

there is nothing stopping you from running tunnel mode for one IPSec tunnel and transport mode with another IPSec tunnel from the same router. Under the "crypto map xxx seq ipsec-isakmp", you just need to specify "mode transport" and that will do it.

Dave Ng · ‎12-19-2012

Daivd,

Thanks, I think you are referring to specify the "mode transport" in the crypto ipsec transform-set instead of crypto map...

I will try that... any idea if similar change is require on the remote peer.... I really hate the idea of getting our business partner to make any changes since the existing ipsec tunnel running on transport mode is already live..

============================================

crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac

mode transport