08-21-2012 07:25 AM
I have a couple of remote sites I am connecting to over the Internet.
Now I am trying to add a S2S tunnel betweent he two sides.
My problem is that I have the original tunnel back to my main office as the tunnel with priority 1 and the second tunnel I created has priority 2. The problem is that both ranges are in the same basic network range.
Home office 10.0.0.0/8 (includes all kinds of other locations)
Remote 1 10.1.0.0/16
Remote 2 10.2.0.0/16
The first tunnel to/from Remote 1:
local 10.0.0.0/8 --> 10.1.0.0/16 (and vice versa)
The first tunnel to/from Remote 2:
local 10.0.0.0/8 --> 10.2.0.0/16 (and vice versa)
Tunnel between Remote 1 and 2:local 10.1.0.0/16 and 10.2.0.0/16.
Now because the original tunnel has higher priority and includes the networks of the second priority tunnel the second tunnel never comes up and traffic from remote 1 to remote 2 flows via the main office.
Is there a way to change the priority in retrospect?
Thanks
Joerg
08-21-2012 07:52 AM
Sure, you can change priority by changing the sequence numbers, the lower the number the higher the priority. However, in your case changing the priority would just put the problem on its head, i e all traffic would go towards tthe second tunnel instead. Thus, you'd need to narrow the "from" part of the statement down as well, at least for the one that are given highest priority.
Hope this helps,
best,
Johnny
08-21-2012 08:21 AM
So can I simply go ahead and make the changes like below:
Current:
crypto map Internet_map1 1 match address Internet_cryptomap
crypto map Internet_map1 1 set peer 100.100.100.100
crypto map Internet_map1 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Internet_map1 2 match address Internet_cryptomap_1
crypto map Internet_map1 2 set peer 200.200.200.200
crypto map Internet_map1 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
to the following:
no crypto map Internet_map1 1 match address Internet_cryptomap
no crypto map Internet_map1 1 set peer 100.100.100.100
no crypto map Internet_map1 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Internet_map1 10 match address Internet_cryptomap
crypto map Internet_map1 10 set peer 100.100.100.100
crypto map Internet_map1 10 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
^z
wr mem
I assume all connections will be dropped at that point, but should re-establish by themselves.
Thanks
Joerg
08-21-2012 10:43 AM
Yes, or add the new one first and delete the old one after that, either way. And yes, the tunnels will go down, and then up again when interesting traffic comes along.
But the way I understood your initial post you'd also need to edit the ACLs in order to achieve what you want, changing priorities is only half the job, if ACLs for both tunnels currently catch the same source scope.
Also, on a side note - if you're going to do wr mem, you'll probably want to have a backup of the startup-config, by doing a "copy start tftp" before you start editing. That way, if things get out of hand, you can easily get the old config up and running without passing a load of commands.
Best,
Johnny
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide