06-15-2012 09:28 AM
We've got two 1800 routers connected via IPSEC VPN using a tunnel interface. The router at the branch office is using a T1 on Serial0/0/0 and we'd like to connect DSL service to Fa0/1 as a backup.
Now, problem I see is that we use static routing. On the branch router it has a default route pointing to the original Tunnel interface that uses the T1 line. Then it has several other static routes pointing to the serial interface itself. Tried an experiment creating floating static routes that would bounce to a second Tunnel interface or the Fa0/1 interface if the first failed, however, I don't think that works correctly. Tried shutting down the serial interface (wisely scheduling a reload for a couple minutes later), but the second tunnel never came up.
I'm sure there is a better way of doing this and would appreciate any pointers.
Thanks!
06-15-2012 10:11 AM
Hi Ken,
Please read the thread below, there is a solution already has been provided for similar problem.
https://supportforums.cisco.com/message/3652744#3652744
Please feel free to ask question.
Hope that helps.
Thanks
Rizwan Rafeek.
06-18-2012 01:11 PM
I guess I'm still confused. That solution seems a little more complex than what I'm trying to do.
Here is what I understand:
1. develop an sla to monitor a connection on the primary interface
2. Configure static default routes: The first points to the default interface and is tracking the sla. The second goes to the backup interface and has a metric so that it only becomes active should the default fail or should the tracking be interrupted.
Where I get confused is in regards to the VPN Tunnels. Here's the relevant current config of the main site-to-site router:
crypto isakmp key mycryptokey address IP1.IP1.IP1.IP1
crypto map mymap 30 ipsec-isakmp
set peer IP1.IP1.IP1.IP1
set transform-set ESP-DES-MD5
match address 154
interface TunnelA
ip address 192.168.154.1 255.255.255.252
ip mtu 1476
ip route-cache flow
tunnel source FastEthernet0/1
tunnel destination IP1.IP1.IP1.IP1
crypto map mymap
Here's the config on the branch router:
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key mycryptokey address IP2.IP2.IP2.IP2
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
!
crypto map mymap local-address Serial0/0/0
crypto map mymap 10 ipsec-isakmp
set peer IP2.IP2.IP2.IP2
set transform-set ESP-DES-MD5
match address 199
Interface TunnelA
ip address 192.168.154.2 255.255.255.252
ip access-group 140 out
ip mtu 1476
ip route-cache flow
tunnel source Serial0/0/0
tunnel destination IP2.IP2.IP2.IP2
crypto map mymap
And the current default route on the branch router is:
ip route 0.0.0.0 0.0.0.0 TunnelA
So I know that what I will eventually need on the branch router is something like this:
ip route 0.0.0.0 0.0.0.0 TunnelA Track 1
ip route 0.0.0.0 0.0.0.0 TunnelB 10
My question is, in regards to using Tunnels, is there anything special I need to do aside from having two Tunnel interfaces (one utilizing the T1 interface and one utilizing the DSL FA0/1 interface) on each end (one the primary, one the secondary) and can I share the same crypto key and crypto map for the two tunnels, or do I need to create separate ones?
Thanks!
06-19-2012 08:25 PM
Hi Ken,
I am sorry for late reply. I was so busy with things on my plate at my work and in between time try to help out others on Cisco Support community.
Your question below...
"can I share the same crypto key and crypto map for the two tunnels,"
Yes you can use the same key because remote peer's IP is the same for your branch router is concern.
But for your crypto instance name "mymap" can be same however crypto instance or index number must be different, because you would map crypto “mymap” to different public address as source interface.
"crypto map mymap 20 ipsec-isakmp"
Since tunnelB create a new tunnel to main office, so you have create an additional tunnel interface there as well at main office, on a different subnet to peer with branch office.
Hope that answers your question.
thanks
Rizwan Rafeek
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide