Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1397
Views
0
Helpful
5
Replies

multiple site to site IP sec VPN with SRP 500 (521W)

Go to solution
abbe costa
Level 1
Level 1

‎06-08-2013 03:02 AM

Hi community,

I just purchased a SRP 521 to connect my home network with an Amazon service (site to site IP sec)

I have created two tunnels and both are working ... BUT one at a time

When I try to activate both, only the first can be connected

the product sheet indicates 5 VPN site to site but nowhere its indicated as active in the same time

Any experience with this ?

Is tehre any limitation ?

Cheers

A.Costa

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andrew Hickman
Cisco Employee
Cisco Employee
In response to abbe costa

‎06-11-2013 01:58 AM

Thanks for the detail - now I understand what you are attempting.

Unfortunately, the SRP500 doesn't support VPN tunnel redundancy to a common remote subnet, so it can't actively manage failover from one tunnel to the other in the event that one of the Amazon gateways fails.

As you have seen, it is possible however to manage this manually.

Regards,

Andy

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Andrew Hickman
Cisco Employee
Cisco Employee

‎06-08-2013 12:05 PM

Hi,

This should be ok - it should be possible to connect multiple IPSec policies at a time.  (You can't use Point to Point IPSec and remote access VPN at the same time).

Can you post some detail please?  May be there is some conflicting configuration?

Please post which firmware you are using too.

Regards,

Andy

0 Helpful

Go to solution
abbe costa
Level 1
Level 1
In response to Andrew Hickman

‎06-08-2013 01:33 PM

the router configuration is as follow

Model: SRP521W, FE WAN, 802.11n ETSI, 2FXS/1FXO
Version ID: V01
Hardware Version: 4.1.0
Boot Version: 1.1.22 (Feb 22 2011 - 09:42:55)
Firmware Version: 1.01.29 (002) Mar 29 2013
Recovery Firmware: 1.01.20 (011)
Setup Wizard Version: 20110728.00

I use onlu IP sec connections point to point

both IKE policies are defined and IPsec policies defined and enabled

When connecting to Status > VPN status , the first is connected  and the second is disconnected

I click on connect button but nothing happens

on the other side the same status (one UP and the other down)

VPN Status
Tunnel Name
Remote Policy
Local Policy
IKE Algorithm
IPSec Algorithm
TX Bytes
RX Bytes
Connect Status
awssecyyy.yyy.yyy.yyy/24xxx.xxx.xxx.xxx/32AES128-SHA
1		AES128-SHA
1		00Connected

Tunnel Name
Remote Policy
Local Policy
IKE Algorithm
IPSec Algorithm
TX Bytes
RX Bytes
Connect Status
awssec2



00Disconnect

When disconnecting the first connection both connection are down.

VPN Status
Tunnel Name
Remote Policy
Local Policy
IKE Algorithm
IPSec Algorithm
TX Bytes
RX Bytes
Connect Status
awssec



00Disconnect

Tunnel Name
Remote Policy
Local Policy
IKE Algorithm
IPSec Algorithm
TX Bytes
RX Bytes
Connect Status
awssec2



00Disconnect

I need to connect the second tunnel (Status > VPN status > click button connect on the second tunel)

when I check the status, the SRP shows both connections as connected buth the other side shows only the second tunnel as active, and the first is down

Tunnel Name
Remote Policy
Local Policy
IKE Algorithm
IPSec Algorithm
TX Bytes
RX Bytes
Connect Status
awssecyyy.yyy.yyy.yyy/24192.168.15.100/32AES128-SHA
1		AES128-SHA
1		00Connected

Tunnel Name
Remote Policy
Local Policy
IKE Algorithm
IPSec Algorithm
TX Bytes
RX Bytes
Connect Status
awssec2yyy.yyy.yyy.yyy/24192.168.15.100/32AES128-SHA
1		AES128-SHA
1		00Connected

What kind of conflct it may be?

IP adresses for the IP sec are different, and the parameters are identical (except pre shared key of course and the names)

0 Helpful

Go to solution
Andrew Hickman
Cisco Employee
Cisco Employee
In response to abbe costa

‎06-10-2013 01:26 AM

Thanks for the information,

Seems a little strange.  I'm not sure that I totally follow your configuration here.

From the status, I see that you are tunnelling from a single local host to two remote subnets.  Are those subnets on the same remote SRP?

What configuration do you have on the other SRP?  Two policies, one for each subnet for traffic targetted at the host on the first site?

Andy

0 Helpful

Go to solution
abbe costa
Level 1
Level 1
In response to Andrew Hickman

‎06-10-2013 03:00 AM

I am connecting a single server in my network (local IP 192.168.15.100) to a subnetwork in Amazon AWS

it's one single subnetwork at Amazon side, using amazon VPN routers

AWS provides 2 redundant connections to 2 different IP adresses but a single subnetwork (let's say 10.1.2.0/24)

On the SRP 521W (in my network), I have defined 2 different IKE policies (one per remote AWS IP adress)

for each IKE we have associated IP sec policy (awssec and awssec2)

it should be like this where VPC is the subnetwork, and teh customer gateway is the SRP I am using

0 Helpful

Go to solution
Andrew Hickman
Cisco Employee
Cisco Employee
In response to abbe costa

‎06-11-2013 01:58 AM

Thanks for the detail - now I understand what you are attempting.

Unfortunately, the SRP500 doesn't support VPN tunnel redundancy to a common remote subnet, so it can't actively manage failover from one tunnel to the other in the event that one of the Amazon gateways fails.

As you have seen, it is possible however to manage this manually.

Regards,

Andy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents