Re: 891 Router with two internet feeds both doing an IPSec VPN t

jasonhumes · ‎04-13-2012

Hi

We are trying to setup a router with two internet feeds both of them doing IPSec VPNs back to a single peer...one of these VPNs is for VOICE traffic and the other is for DATA traffic...we have a default route set out one Internet feed which is the primary feed used for outbound browsing and the data vpn. The only other routes on this router are two static routes for the destination private subnets at the remote end but pointing to each feeds respective default gateway...I would have thought this would work, but only the data vpn is coming up and the voice seems to stay down due to not having a proper route?

If I set a static route for the remote peer out the voice internet feed, then the data vpn would drop...should I apply a policy based route on each of the inside interfaces, voice and data, setting the ip default next hop to their respective default gateways?

Thanks for any help.

Cheers

J

Jeff Van Houten · ‎04-14-2012

You didn't mention what tech you used to create the tunnels, but if they are not coming up, that sounds like the acls are not correct. Acls define interesting traffic. If properly set I don't see why you couldn't use one tunnel for voice and the other for data.

Sent from Cisco Technical Support iPad App

jasonhumes · ‎04-15-2012

Hi

Either via maps or tunnel interfaces the acls are correct because if I switch the default or static route to the peer one tunnel or the other works. Would setting two default gateways or static routes to the peer work perhaps? Only the data interface is configured for nat, so the second static route sould only affect the traffic matching the voice vpn acl.

I'm going to try this and see how it goes.

Thanks

J

Jason Humes

Applied Computer Solutions Inc.

3020 St. Etienne Blvd.

Windsor, ON

N8W 5E6

Ph. 519/944-4300

Fx. 519/944-4247

jhumes@acs.on.ca

Julio Carvajal · ‎04-15-2012

Hello Jason,

This is definitely a PBR scenario..As you said you need to configure PBR on both interfaces because as you know you can only have one default route on your routing table... So you will need to create a policy for the PBR to work so each traffic ( data an voice) will go to the right gateway.

Regards,

Julio

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jasonhumes · ‎04-16-2012

Hrrrm that's what I'm trying with set default ip next hop and its not working...the voice tunnel just shows errors until you actually configure a real static route to the peer out the second feed or a default route out the second feed. How should my acl for the pbr look...right now it just has each private subnet pair...should I also include each peer public ip?

Cheers

Jason

Jason Humes

Applied Computer Solutions Inc.

3020 St. Etienne Blvd.

Windsor, ON

N8W 5E6

Ph. 519/944-4300

Fx. 519/944-4247

jhumes@acs.on.ca

jasonhumes · ‎04-16-2012

Or would I also need a third pbr applied to the second feed public interface, with only the second feed public IP and the peer public IP, so that router to router communication works…I think this is where it’s failing, the initial establishment is failing because the PBR doesn’t affect that traffic it seems. I feel like I’m missing something very simple/obvious ☹

There must be a way to get both of these tunnels up as I swear I’ve done it once before but I can’t find that darn config anyplace…of course.

Thanks

Jason

jasonhumes · ‎04-18-2012

Just a heads up…two static routes to the same peer, with no policy routing is what made this work…thanks ☺

Jason

891 Router with two internet feeds both doing an IPSec VPN to one peer...how to route?