12-27-2018 02:42 PM - edited 03-05-2019 11:08 AM
I’m hoping to word this as clearly as possible but I’m probably missing info. Very basic drawing attached. We have an edge router that 2 internet circuits terminate on. 1 is backup and 1 is primary. The configs are simple. We use local-pref – primary is 200, and secondary is 150 for outbound. We use prepend for controlling how traffic gets to us inbound. Secondary obviously prepended more. We get nothing more than just a default route from the ISP for both these circuits.
So to the questions: Is it possible to somehow terminate an ipsec tunnel on the secondary circuit? Since util is hitting high on the primary circuit, I would like to not throw more things onto that circuit and would like to use our backup circuit that never gets used (only for failover situation) to terminate the ipsec tunnel. Is this possible?
Re-read my post and realize I’m not being clear at all.
So the IP I would obviously use to make this IPsec tunnel would be the IP of my secondary circuit interface. So this would only work on the secondary circuit and it would not failover or work on the primary….that is fine. Just wondering if this would work…
Here are the configs for the edge router and firewall:
Firewall# interface Port-channel10.771 nameif Outside security-level 0 ip address 172.28.255.1 255.255.255.0 standby 172.28.255.2 Edge Router# Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0/0 172.28.255.125 YES NVRAM up up GigabitEthernet0/0/1 63.1.1.234 YES NVRAM up up GigabitEthernet0/0/2 209.1.1.68 YES NVRAM up up GigabitEthernet0/0/3 unassigned YES NVRAM administratively down down ! interface GigabitEthernet0/0/0 description to Firewall ip address 172.28.255.125 255.255.255.0 ip nat inside speed 1000 no negotiation auto end ! interface GigabitEthernet0/0/1 description primary internet circuit ip address 63.1.1.234 255.255.255.248 ip nat outside speed 1000 no negotiation auto end ! interface GigabitEthernet0/0/2 description backup internet circuit ip address 209.1.1.68 255.255.255.240 ip nat outside speed 1000 no negotiation auto end Edge Router# sh ip bop Network Next Hop Metric LocPrf Weight Path * 0.0.0.0 209.1.1.67 150 0 7385 i * 209.1.1.66 150 0 7385 i *> 63.1.1.233 0 200 0 209 i
Solved! Go to Solution.
12-28-2018 07:46 AM
12-29-2018 03:45 PM - edited 12-29-2018 03:47 PM
Thanks for the additional information. The configs are helpful and knowing that this will be a simple lan to lan ipsec with crypto map means that the implementation is really simple (is there an ipsec implementation that is really simple? at least this is simple relative to other more complex ipsec).
You pretty much have identified the steps that you need to do. Here is my summary of what you should do:
1) configure an access list to identify the traffic to be protected by encryption
2) configure a transform set, isakmp parameters, and crypto map for the ipsec
3) assign the crypto map to the secondary ISP interface
4) configure a static route for the remote peer address and specify the next hop as the next hop address on your secondary ISP interface
Taking care of return traffic is really easy (and this time I do mean really easy). Since the remote peer will be using the IP address of your secondary circuit as their remote peer address their traffic to you will automatically come to your secondary interface. You do not need to do anything.
HTH
Rick
12-28-2018 07:46 AM
12-29-2018 11:29 AM
Yeah I was thinking about that. That seems like too easy of a fix lol. I just posted some usefull configs back into the post, maybe that will help. If i put a static route on the edge router to point the peer ip, lets say 1.1.1.1 to use the secondary circuit ip of 209.1.1.x, what will that say about the return traffic?
12-30-2018 05:13 AM
12-28-2018 08:57 AM
I'm still not sure what you're trying to accomplish. What traffic are you trying to send over the tunnel? Is this a desired backup for certain WAN traffic?
12-29-2018 11:31 AM
I posted some configs above. This is a L-2-L crytomap tunnel. I want the peer to be able to access resources on our network here.
12-29-2018 03:45 PM - edited 12-29-2018 03:47 PM
Thanks for the additional information. The configs are helpful and knowing that this will be a simple lan to lan ipsec with crypto map means that the implementation is really simple (is there an ipsec implementation that is really simple? at least this is simple relative to other more complex ipsec).
You pretty much have identified the steps that you need to do. Here is my summary of what you should do:
1) configure an access list to identify the traffic to be protected by encryption
2) configure a transform set, isakmp parameters, and crypto map for the ipsec
3) assign the crypto map to the secondary ISP interface
4) configure a static route for the remote peer address and specify the next hop as the next hop address on your secondary ISP interface
Taking care of return traffic is really easy (and this time I do mean really easy). Since the remote peer will be using the IP address of your secondary circuit as their remote peer address their traffic to you will automatically come to your secondary interface. You do not need to do anything.
HTH
Rick
12-29-2018 07:15 PM
Thank you for explaining this. I just have one more question. I should've included it originally, but I didn't want to throw 2 questions in at the same time. Let's say that the edge router currently has this config below:
ip nat inside source static esp 172.28.255.1 interface GigabitEthernet0/0/1 ip nat inside source static udp 172.28.255.1 500 interface GigabitEthernet0/0/1 500
I think this config was put in for the other ipsec tunnel we have running over the primary internet circuit right now. If I input the nat translations command you see the following:
Edge Router #sh ip nat translations esp 63.1.1.234 172.28.255.1 13.13.12.67:8017 13.13.12.67 esp 63.1.1.234 172.28.255.1: 13.13.12.67 13.13.12.67 esp 63.1.1.234 172.28.255.1: 13.13.12.67 13.13.12.67 esp 63.1.1.234 172.28.255.1: 13.13.12.67 13.13.12.67 esp 63.1.1.234 172.28.255.1: 13.13.12.67 13.13.12.67 esp 63.1.1.234 172.28.255.1: 13.13.12.67:16 13.13.12.67 esp 63.1.1.234 172.28.255.1: 13.13.12.67:4 13.13.12.67 esp 63.1.1.234 172.28.255.1: 13.13.12.67:8192 13.13.12.67:2 esp 63.1.1.234 172.28.255.1: 13.13.12.67:40548 13.13.12.67:6995 esp 63.1.1.234 172.28.255.1: 13.13.12.67:32768 13.13.12.67 esp 63.1.1.234 172.28.255.1: 13.13.12.67 13.13.12.67:328 esp 63.1.1.234 172.28.255.1: 13.13.12.67:65535 13.13.12.67:65535
So now I'm wondering that if I make an ipsec tunnel on the firewall to go over the second circuit like we discussed, this NAT configs will automatically translate that IP to use g0/0/1 which is primary internet circuit and this probably would not work to use the second circuit because of this nat command correct? Would I need to use an IP address that the backup ISP has provided to me and write a new NAT statement on the edge router?...so that way the source address on the outside interface will not be 172.28.255.1 when going into the edge router... and instead be something else right? I hope my question is clear. Thank you for your help
12-30-2018 10:44 AM
This translation is for an ipsec vpn running on the firewall. This and your second question bring up an aspect that I had not considered. I had been assuming that the ipsec vpn you were talking about using the secondary circuit would be running on the router. But you are asking about setting up the second lan to lan vpn on the firewall. This changes my suggestions. One complication is that there is an address translation for the firewall outside interface for the protocols esp and isakmp. For the second vpn you need the same ports to be translated for the secondary circuit interface. But you can not have 2 translations on the same interface for the same protocols. Is there another interface on the firewall that could be used for the new vpn?
HTH
Rick
12-30-2018 06:06 PM
aaaah ok I think I understand what you're saying, yes I believe you are definitely correct and I somehow need to have a second outside interface on the firewall to have this tunnel run over. I guess I can use g0/0/3 on edge router which is not being used and connect that the firewall to be the 2nd outside interface. Do you think that this is a pretty straightforward process?
1. connect the cable between g0/0/3 on edge router to firewall
2. create new sub-interface on firewall with new subnet for new outside IP address range
3. put in the 2 NAT statements on the edge router to translate for the firewall new outside interface for the protocols esp and isakmp
4. put static route on firewall to direct the peer address to use the new outside interface
you think I have it all here? Much appreciated on your help
12-31-2018 07:11 AM
That sounds about right. Is there a crypto map on the firewall outside interface for the existing vpn? You may need a similar crypto map (and perhaps other crypto configuration) for the new vpn.
HTH
Rick
12-31-2018 08:57 AM
Thanks a lot for your help Richard. I guess there are multiple right answers here since I threw that 2nd question in there out of nowhere.
12-31-2018 09:05 AM
Yes frequently there is more than one way to do something in networking and each way could work successfully.
HTH
Rick
12-29-2018 05:56 AM
If we had more information we would be able to provide better answers. Will this ipsec be a simple implementation with a crypto map? Will it be ipsec with gre? Will it be ipsec with vti? But with the very little that we know we can say that in general it is quite possible to have most traffic using the primary circuit with failover to secondary and to have ipsec terminated on the secondary circuit.
HTH
Rick
12-29-2018 11:27 AM
Thank you for responding. This will be a simple crypto map implementation. I just posted some configs that will be more helpful. I'm just wondering if I put a static route to point the new tunnel peer, lets say their IP is 1.1.1.1 do I put a static route on the edge router that says 1.1.1.1 please use 209.1.1.x(secondary IP). That takes care of the outbound I guess, but I'm still lost on the inbound part.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide