05-17-2012 07:58 AM
Hello,
We have two offices with two 1841 routers. Each office have two wan links (one ADSL with dialer, one SDSL) with fixed IP.
The adsl link is the default route with failover.
There is only one VTI working properly with the config below (the adsl one). If I remove the route "ip route 0.0.0.0 0.0.0.0 dialer 1 track 1" both VTI are working properly, however all traffic is going to SDSL witch is not the behaviour we would like to get.
Have you any suggestion to get both VTI working with default route to ADSL link ?
Thanks in advance,
Regards,
Olivier
------------------------------------------------
track 1 ip sla 1 reachability
delay down 1 up 1
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key XXXXXX address 217.x.x.133 no-xauth
crypto isakmp key YYYYYY address 95.x.x.22 no-xauth
!
!
crypto ipsec transform-set esp-aes128-sha esp-aes esp-sha-hmac
!
crypto ipsec profile vti
set transform-set esp-aes128-sha
!
!
interface Tunnel0
description VTI To boussolebea
ip address 192.168.50.1 255.255.255.0
tunnel source Dialer1
tunnel mode ipsec ipv4
tunnel destination 217.x.x.133
tunnel path-mtu-discovery
tunnel protection ipsec profile vti
!
interface Tunnel1
description VTI To Boussolebea SDSL
ip address 192.168.51.1 255.255.255.0
tunnel source FastEthernet0/1
tunnel mode ipsec ipv4
tunnel destination 95.x.x.22
tunnel path-mtu-discovery
tunnel protection ipsec profile vti
!
interface FastEthernet0/0
description LAN Interface
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
description To SDSL
ip address 62.x.x.10 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer1
description To ADSL
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname
ppp chap password 7
!
ip local policy route-map IspSDSL-Redirect
ip local pool PoolVpnAdsl 192.168.60.1 192.168.60.10
ip local pool PoolVpnSdsl 192.168.61.1 192.168.61.10
ip forward-protocol nd
ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
!
!
ip nat inside source route-map IspADSL interface Dialer1 overload
ip nat inside source route-map IspSDSL interface FastEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
ip route 0.0.0.0 0.0.0.0 62.x.x.9 10
ip route 192.168.11.0 255.255.255.0 192.168.51.2
ip route 192.168.11.0 255.255.255.0 192.168.50.2 10
!
ip access-list extended Ipsec
permit tcp host 62.x.x.10 eq 500 any
ip access-list extended SSH
permit tcp host 62.x.x.10 eq 22 any
ip access-list extended SSL
permit tcp host 62.x.x.10 eq 443 any
!
ip radius source-interface FastEthernet0/0
ip sla 1
icmp-echo 193.x.x.3 source-interface Dialer1
threshold 60
timeout 1000
ip sla schedule 1 life forever start-time now
logging esm config
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 deny any
access-list 100 permit ip any any
dialer-list 1 protocol ip permit
!
!
!
!
route-map IspSDSL permit 1
match ip address 10
match interface FastEthernet0/1
!
route-map IspADSL permit 1
match ip address 10
match interface Dialer1
!
route-map IspSDSL-Redirect permit 10
match ip address SSL SSH
match interface FastEthernet0/1
set ip next-hop 62.x.x.9
Solved! Go to Solution.
05-17-2012 04:28 PM
Hi Olivier,
Add the following static route...
ip route 95.x.x.22 255.255.255.255
It is so that router stops trying to get to tunnel 1's tunnel destination through the dialer1 link.
Kind Regards,
Kevin
**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.
05-17-2012 08:13 AM
What makes you believe that the other VTI is not functioning properly? Is the tunnel down or are you just unable to ping the other end?
Kind Regards,
Kevin
**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.
05-17-2012 08:59 AM
Dear Kevin,
The command "sh crypto session" give this:
Crypto session current status
Interface: Tunnel1
Session status: DOWN-NEGOTIATING
Peer: 95.X.x.22 port 500
IKEv1 SA: local 62.x.x.10/500 remote 95.x.x.22/500 Inactive
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 217.x.x.133 port 500
IKEv1 SA: local 193.x.x.113/500 remote 217.x.x.133/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
If the default route to dialer 1 is removed both are up and active.
05-17-2012 04:28 PM
Hi Olivier,
Add the following static route...
ip route 95.x.x.22 255.255.255.255
It is so that router stops trying to get to tunnel 1's tunnel destination through the dialer1 link.
Kind Regards,
Kevin
**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.
05-18-2012 05:22 AM
Hi Kevin,
It does the trick !
I added the line : ip route 95.x.x.22 255.255.255.255 62.x.x.9
The two tunnel were working like a charm. I also had to add the following line because there was two session for tunnel 0, I assume by adsl and sdsl:
ip route 217.x.x.133 255.255.255.255 dialer 1
Thank you very much for your help.
Kind regards,
Olivier
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: