Solved: Re: Site-to-Site VPN & Dual Dialer Wan

secon-asc · ‎06-05-2012

Hello!

i've got some Problems with a Cisco 1941 running 15.2...

I've got two DSL (PPPoE Dialer) WAN-interfaces. I want the normal Internet traffic go through DSL-1 and the VPN go through DSL-2. So i set the default route through Dialer1 and the route heading to the IP of the Brach-Site (R.R.R.R) through Dialer2.

on R1: Ping R.R.R.R -> works fine

on R2: Ping Y.Y.Y.Y -> works fine

on R2: ssh Y.Y.Y.Y -> works fine

so i guess routing should work?

but the VPN wont be established:

router-wi#show cry sess

Crypto session current status

Interface: Dialer1

Session status: DOWN-NEGOTIATING

Peer: B.B.B.B port 500

IKEv1 SA: local X.X.X.X/500 remote B.B.B.B/500 Inactive

IPSEC FLOW: permit ip 172.20.100.0/255.255.255.0 172.20.110.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 192.168.100.0/255.255.255.0 192.168.40.0/255.255.255.0

Active SAs: 0, origin: crypto map

Interface: Dialer2

Session status: DOWN

Peer: B.B.B.Bport 500

IPSEC FLOW: permit ip 172.20.100.0/255.255.255.0 172.20.110.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 192.168.100.0/255.255.255.0 192.168.40.0/255.255.255.0

Active SAs: 0, origin: crypto map

Even when i remove the VPN-D1 Crypto map, no VPN can be established. Only when i shutdown the Dialer1 interface and the default Route also goes throug Dialer2 the VPN is established correctly...

R1 config:

.....

track 1 ip sla 1

delay down 5 up 2

!

track 2 ip sla 2

delay down 5 up 2

!

crypto isakmp policy 1

encr aes 256

hash sha512

authentication pre-share

!

crypto isakmp key xxxxx address R.R.R.R

crypto isakmp xauth timeout 10

!

crypto ipsec transform-set VPN_TS esp-aes 256 esp-sha512-hmac

!

crypto map VPN-D1 10 ipsec-isakmp

set peer R.R.R.R

set transform-set VPN_TS

match address VPN_1

crypto map VPN-D1 20 ipsec-isakmp

set peer R.R.R.R

set transform-set VPN_TS

match address VPN_2

!

crypto map VPN-D2 10 ipsec-isakmp

set peer R.R.R.R

set transform-set VPN_TS

match address VPN_1

crypto map VPN-D2 20 ipsec-isakmp

set peer R.R.R.R

set transform-set VPN_TS

match address VPN_2

!

interface GigabitEthernet0/0

description green

no ip address

ip virtual-reassembly in

ip tcp adjust-mss 1412

duplex auto

speed auto

!

interface GigabitEthernet0/0.1

description Wlan (VPN_1 Network)

encapsulation dot1Q 2 native

ip address 192.168.100.2 255.255.255.0

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1

description orange

no ip address

ip tcp adjust-mss 1412

duplex auto

speed auto

!

interface GigabitEthernet0/1.1

description VPN_2 Network

encapsulation dot1Q 1 native

ip address 172.20.100.2 255.255.255.0

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip virtual-reassembly in

!

interface FastEthernet0/0/0

description -= to DSL-1 =-

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface FastEthernet0/0/1

description -= to DSL-2 =-

no ip address

ip virtual-reassembly in

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 2

!

interface Dialer1

description -= DSL-1 (Vdsl) =-

ip address negotiated

ip mtu 1452

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname feste-ip7/xxx@t-online-com.de

ppp chap password 0 xxx

ppp pap sent-username feste-ip7/xxx@t-online-com.de password 0 xxx

crypto map VPN-D1

!

interface Dialer2

description -= DSL-2 (T-DSL) =-

ip address negotiated

ip mtu 1452

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 2

dialer-group 2

ppp authentication chap pap callin

ppp chap hostname feste-ip2/xxx@t-online-com.de

ppp chap password 0 xxx

ppp pap sent-username feste-ip2/xxx@t-online-com.de password 0 xxx

crypto map VPN-D2

!

.......

!

ip dns server

ip nat inside source route-map DSL-1 interface Dialer1 overload

ip nat inside source route-map DSL-2 interface Dialer2 overload

ip route B.B.B.B 255.255.255.255 Dialer2 10 track 2

ip route 0.0.0.0 0.0.0.0 Dialer1 30 track 1

ip route 0.0.0.0 0.0.0.0 Dialer2 50 track 2

!

ip access-list extended VPN_2

permit ip 172.20.100.0 0.0.0.255 172.20.110.0 0.0.0.255

ip access-list extended VPN_1

permit ip 192.168.100.0 0.0.0.255 192.168.40.0 0.0.0.255

!

ip radius source-interface GigabitEthernet0/0.1

ip sla 1

icmp-echo X.X.X.X

tag Check DSL-1

threshold 300

timeout 500

frequency 5

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo Y.Y.Y.Y

tag Check DSL-2

threshold 300

timeout 500

frequency 1

ip sla schedule 2 life forever start-time now

access-list 100 remark -= NAT Route-Map DSL-1 ACL =-

access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.40.0 0.0.0.255

access-list 100 permit ip 192.168.100.0 0.0.0.255 any

access-list 101 remark -= NAT Route-Map DSL-2 ACL =-

access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.40.0 0.0.0.255

access-list 101 permit ip 192.168.100.0 0.0.0.255 any

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

!

route-map DSL-2 permit 10

match ip address 101

match interface Dialer2

route-map DSL-1 permit 10

match ip address 100

match interface Dialer1

R2 config:

....

crypto map VPN 10 ipsec-isakmp

set peer Y.Y.Y.Y

set peer X.X.X.X

set transform-set VPN_TS

match address VPN_1

crypto map VPN 20 ipsec-isakmp

set peer Y.Y.Y.Y

set peer X.X.X.X

set transform-set VPN_TS

match address VPN_2

...

rizwanr74 · ‎06-05-2012

Yes you can incorporate these below routes as well into track 2, however should track 2 fails you must have a failover route to dsl1, with higher cost route of 100.

ip route 192.168.40.0 255.255.255.0 Dialer 2 track 2 name VPN-1_to_R2_via_DSL-2

ip route 172.20.110.0 255.255.255.0 Dialer 2 track 2 name VPN-2_to_R2_via_DSL-2

Hope that helps.

thanks

Rizwan Rafeek

Message was edited by: Rizwan Mohamed

View solution in original post

rizwanr74 · ‎06-05-2012

Hi there,

"So i set the default route through Dialer1 and the route heading to the IP of the Brach-Site (R.R.R.R) through Dialer2." This is not what you have done, below.

Your "ip route 0.0.0.0 0.0.0.0 Dialer2 50" will kick in only when "Dialer1 30" goes down, so tracking is doing what it supposed to do.

If you want to keep vpn-bound traffic on the dsl2 and web-browsing traffic on the dsl1, you do not need IP-SLA to begin with.

Keep your default route any any to Dialer1 and remote-lan segement route to Dialer2 and remote-vpn peer ip address must be routed to Dialer2 as well.

Please let me know, if this helps.

thanks

Rizwan Rafeek

secon-asc · ‎06-05-2012

Hi,

sorry for not explaining the tracking. I want failover for both lines. if one line fails, all should failover to the other line, therefore the ip sla are there...

could you give me a correct version of the "ip route" section of my config?

have i got to ad something like "ip route 192.168.40.0 255.255.255.0 Dialer2" ?

thanks!

rizwanr74 · ‎06-05-2012

Hi there,

Please try this...

ip sla 1

icmp-echo 4.2.2.2 source-ip 172.20.100.2

tag Check DSL-1

threshold 300

timeout 20000

frequency 10

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo R2.R2.R2.R2 source-ip interface dialer2

tag Check DSL-2

threshold 300

timeout 20000

frequency 10

ip route 0.0.0.0 0.0.0.0 name default-route Dialer1 track 1

ip route 0.0.0.0 0.0.0.0 name failover-default-route Dialer2 100

ip route R2.R2.R2.R2 255.255.255.255 name primary-path-vpn Dialer2 track 2

ip route R2.R2.R2.R2 255.255.255.255 name failover-path-vpn Dialer1 100

-------------------------------

This goes on your R2.

crypto isakmp key your-shared-keys-goes-here address R1.R1.R1.R1 no-xauth <--- 1st DSL public address

crypto isakmp key your-shared-keys-goes-here address R1.R1.R1.R1 no-xauth <--- 2nd DSL public address

crypto map VPN 10 ipsec-isakmpr

set peer R1.R1.R1.R1 default

set security-association idle-time 60 default

set peer R1.R1.R1.R1 <------------------- 1st DSL public address

set transform-set VPN_TS

match address VPN_1

You only need one crypto map instance on R2 destine to R1 and your default peer address will be your dsl2 primary (default) and other is secondary dsl1 and security-association must be deleted before R2 router initiate new tunnel with R1 again, so idle-time set to 60 upon default-peer to be deleted security association.

Please let me know, if this helps.

thanks

Rizwan Rafeek

Message was edited by: Rizwan Mohamed

secon-asc · ‎06-05-2012

hey,

yes i got almost the same working now.. but i only reach the other side if i do this:

ip route R2.R2.R2.R2 255.255.255.255 Dialer 2 track 2 name to_R2_via_DSL-2

ip route 192.168.40.0 255.255.255.0 Dialer 2 track 2 name VPN-1_to_R2_via_DSL-2

ip route 172.20.110.0 255.255.255.0 Dialer 2 track 2 name VPN-2_to_R2_via_DSL-2

ip route 0.0.0.0 0.0.0.0 Dialer1 track 1

ip route 0.0.0.0 0.0.0.0 Dialer2 100

do you think this is ok? I'm wondering because of the blod routes?

or do you think it's better to do this with VTIs?

rizwanr74 · ‎06-05-2012

Yes you can incorporate these below routes as well into track 2, however should track 2 fails you must have a failover route to dsl1, with higher cost route of 100.

ip route 192.168.40.0 255.255.255.0 Dialer 2 track 2 name VPN-1_to_R2_via_DSL-2

ip route 172.20.110.0 255.255.255.0 Dialer 2 track 2 name VPN-2_to_R2_via_DSL-2

Hope that helps.

thanks

Rizwan Rafeek

Message was edited by: Rizwan Mohamed

secon-asc · ‎06-05-2012

it will failover to the default route i guess. it seems to work now

thank you!

Edgardo Rodriguez · ‎03-12-2014

hello! This post is quite old but, actually fits 100 percent for my situation. Is there any solution without changing metrics?

I would like to keep two default routes with same admin distance...

thanks in advance!,

regards.