03-18-2014 10:29 AM
Hi,
I have a cisco 861 that needs to run two L2L tunnels, one to a peplink 3G device and another to a cisco ASA:
Peplink HD2 <----3G VPN Tunnel----> Cisco 861 <---VPN Tunnel----> Cisco ASA
http://www.cloud-distribution.com/_CDL/files/ipsec_guide.pdf
using crypto keyring dynkey (aggressive mode).
I can establish the Cisco 861 and ASA VPN tunnel without a problem. But as soon as i add the 3G dynamic policy to the config for the peplink HD2. The policies seem to clash.
crypto keyring dynkey
pre-shared-key hostname vpn@peplink key ***************
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key 2kSc89723Lkndv90K address 46.183.191.1
crypto isakmp profile dynprofile
keyring dynkey
self-identity user-fqdn vpn@cisco
match identity user-fqdn vpn@peplink
initiate mode aggressive
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
crypto ipsec transform-set 3desset esp-3des esp-sha-hmac
!
set security-association lifetime seconds 3600
!
!
!
crypto dynamic-map dynmap 20
set transform-set 3desset
set pfs group2
set isakmp-profile dynprofile
match address VPN-TRAFFIC
!
!
crypto map CMAP_CF 1 ipsec-isakmp
description Tunnel to46.183.191.1
set peer 46.183.191.1
set transform-set TS
set pfs group5
match address VPN-TRAFFIC
crypto map CMAP_CF 20 ipsec-isakmp dynamic dynmap
Is there a way to put these into seperate policies/profiles or am i doing something completely wrong? Both tunnels work okay independantly.
Thanks,
Joel
03-19-2014 09:18 AM
Hi Joel,
I see you have applied the same ACL -VPN-TRAFFIC under both static and dynamic map:
crypto dynamic-map dynmap 20
set transform-set 3desset
set pfs group2
set isakmp-profile dynprofile
match address VPN-TRAFFIC
!
!
crypto map CMAP_CF 1 ipsec-isakmp
description Tunnel to46.183.191.1
set peer 46.183.191.1
set transform-set TS
set pfs group5
match address VPN-TRAFFIC
crypto map CMAP_CF 20 ipsec-isakmp dynamic dynmap
Why would you need match address for dynamic-map ?
Regards,
Shetty
03-20-2014 06:29 AM
Hi Shetty.
I've attached a PDF with diagram to help explain. (Red traffic failover route, blue traffic normal data)
Basically traffic from 192.168.40.xxx needs to be able to talk to devices at 10.21.1.71 - traveling from cisco 861 to Cisco HQ via the VPN. In normal operation the satellite network passes traffic to the 861 for encryption. BUT when the Sat is Down the pepwave can failover to the Cisco via 3G.
The VPN ACL for the cisco to Cisco is already 192.168.40.xxx to 10.21.1.71.
So would the VPN ACL for the 3G (dynamic) to cisco be 192.168.40.xxx to 10.21.1.71. as well as the inteded destination is 10.21.1.71 and the source is 192.168.40.xxx?
Or would i need to route traffic differently?
And i assume the best way to do this is to use one Crypto map with different proirities?
Thanks,
03-29-2014 07:05 AM
Hi Joel,
So if I understand right with static map you are trying to build site to site vpn over satellite link and as a back up you have configured dynamic-map to accept dynamic connection from peplink 3G device over same WAN connection ?
If both the tunnels are built over same WAN interface , do note that if suppose both peers try to build tunnel at same time with router its going to keep only one ( since both peers presents same vpn network/proxy-id).
What exactly does happen whe you add dynamic profile? Lets say you have tunnel working fine with ASA and you add dynamic profile, does tunnel with ASA go down?
Debug logs should tell us why a tunnel is torn down.
debug crypto condition peer ipv4 <remote peer public IP> //** set the condition for both ASA and peplink device one by one.
collect following debugs:
debug cry isa
debug cry ipsec
After collecting the debugs turn it off using "undebug all"
Thanks,
Shetty
03-30-2014 04:10 AM
Hi Shetty,
your comments about the network are correct. The Satellite passes traffic to the cisco at a ground station to be encrypted to the cisco at HQ, once the sate is down the 3G tunnel needs to pass traffic to the ground station cisco for routing down the same tunnel to HQ
So both the pepwave and cisco 86X use the same ACL to access the HQ cisco via VPN. Would that cause both peers to present the same vpn network/proxy-id on same wan.
Only part of the pepwave 3G tunnel comes up (the part that doesnt include the same addresses as in the satellite link in the ACL.
Would you know of a way to get around this?
I only have access to the cisco 86X (on IOS) and pepwave so cant run the ASA commands. ill post what i have from the IOS though ASAP.
Thanks!
Joel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide