Solved: Re: Configure multiple site-to-site vpn

jpfnc@2011 · ‎04-10-2012

Hello there

I want to configure 2 VPN between same router as following:

R1-G0/0<---VPN1-->R2-G0/0

R1-Lo <--VPN2--->R2-Lo0

on this configuration, VPN1 is up, but not VPN2

All IP are routabled and pingable from both sides

Can someone help me ?

Thanks

JP

olpeleri · ‎04-22-2012

Hey Jean-Paul,

Something like

crypto ipsec profile tunnel1

set transform-set

crypto ipsec profile tunnel2

set transform-set

interface tunnel1

ip address 255.255.255.252

tunnel source

tunnel destination

tunnel protection ipsec profile tunnel1

interface tunnel2

ip address 255.255.255.252

tunnel source

tunnel destination

tunnel protection ipsec profile tunnel2

And of course the same thing rinverted on the remote device

View solution in original post

Jouni Forss · ‎04-10-2012

Hi,

To my undestanding configuring having 2 L2L VPNs with same peer IP addresses is impossible. Or my memory was just from some equipment that doesn't support it?

Anyway it does seem needles to have 2 separate VPN connections if they both share the peer addresses.

Why have you configured 2 L2L VPN connections between the same 2 devices?

- Jouni

jpfnc@2011 · ‎04-10-2012

hi Jouni

actually the first vpn is working well. But I need to move traffic to second vpn to avoid disturb traffic (or disturb less)

once the second vpn is ok, then I can remove the first one.

if you hava an idea.

Thanks

JP

jpfnc@2011 · ‎04-11-2012

hi again jouni

for your information, each vpn has its own peer and own interface.

on R1, i have

C#sh crypto session

Crypto session current status

Interface: GigabitEthernet0/0

Session status: UP-ACTIVE

Peer: port 500

IKEv1 SA: local /500 remote /500 Active

IPSEC FLOW: permit 47 host host

Active SAs: 2, origin: crypto map

Interface: Loopback1

Session status: DOWN

Peer: port 500

IPSEC FLOW: permit 47 host host

Active SAs: 0, origin: crypto map

C#

JP

olpeleri · ‎04-22-2012

If I understand:

R1-G0/0<---VPN1-->R2-G0/0

R1-Lo <--VPN2--->R2-Lo0

Assuming you have only 1 egress interface [ gig0/0] then it's something you can't achieve by using crypto maps:

1- Crypto map is an egress feature that get configured on the egress interface

2- Crypto maps are not working on loopback interfaces [ not supported]

3- A specific crypto map cannot have multiple local-address

If you want make this work then you should have to set of tunnel interfaces with tunnel protection.

Cheers,

Olivier

CCIE Security #20306

jpfnc@2011 · ‎04-22-2012

I understand

is there any sample configuration or link using tunnel protection you can recommand me ?

Thanks

JP

olpeleri · ‎04-22-2012

Hey Jean-Paul,

Something like

crypto ipsec profile tunnel1

set transform-set

crypto ipsec profile tunnel2

set transform-set

interface tunnel1

ip address 255.255.255.252

tunnel source

tunnel destination

tunnel protection ipsec profile tunnel1

interface tunnel2

ip address 255.255.255.252

tunnel source

tunnel destination

tunnel protection ipsec profile tunnel2

And of course the same thing rinverted on the remote device

jpfnc@2011 · ‎04-23-2012

Hello

Thanks for your assistance.

Actually i use crypto map for the first vpn, which is up/up

I configured then tunnel protection on second vpn and aply 2 different eigrp peer in these tunnel. both vpn are up.

RT1#sh crypto session

Crypto session current status

Interface: GigabitEthernet0/0.1207

Session status: UP-ACTIVE

Peer: port 500

IKEv1 SA: local /500 remote /500 Active

IPSEC FLOW: permit 47 host host

Active SAs: 2, origin: crypto map

Interface: Tunnel20

Session status: UP-ACTIVE

Peer: 37.200.104.2 port 500

IKEv1 SA: local /500 remote /500 Active

IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

Active SAs: 2, origin: crypto map

RT1#

RT1#sh ip eigrp neighbors

EIGRP-IPv4 Neighbors for AS(1)

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 10.50.1.2 Tu10 10 3d05h 338 2028 0 368

EIGRP-IPv4 Neighbors for AS(2)

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 10.50.1.6 Tu20 10 00:25:53 339 2034 0 2

RT1#

As SAME policies are applied on eigrp session on both side, we should receive same route on both sessions. At this state on receive only routes from tunnel10.

RT1#sh ip route eigrp

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is 223.29.159.46 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 20 subnets, 5 masks

D EX 10.23.1.248/32 [170/26882560] via 10.50.1.2, 01:36:40, Tunnel10

D EX 10.23.5.0/24 [170/26882560] via 10.50.1.2, 01:36:40, Tunnel10

172.20.0.0/16 is variably subnetted, 3 subnets, 2 masks

D EX 172.20.2.0/24 [170/26882560] via 10.50.1.2, 01:36:40, Tunnel10

RT1#

So mi questions:

* why do I receive only prefixes from tunnel10

* does the second tunnel accept also multicast packet (or do i need also to add "ip pim sparse-mode") ?

Thanks for answer

JP

olpeleri · ‎04-23-2012

Just a sanity check.

U can ping 10.50.1.6 across the vpn right?

EIGRP is properly configured on the remote end?

Can you share the config?

jpfnc@2011 · ‎04-24-2012

hello

here is config for RT1.

RT1

!

crypto isakmp policy 1

authentication pre-share

!

crypto isakmp policy 20

encr 3des

authentication pre-share

crypto isakmp key key1 address

crypto isakmp key key2 address

!

crypto ipsec transform-set myincset esp-3des esp-sha-hmac

mode transport

crypto ipsec transform-set TSC esp-3des esp-sha-hmac

!

crypto ipsec profile PC

set transform-set TSC

!

crypto ipsec profile myincprofile

!

crypto map myincmap 10 ipsec-isakmp

set peer

set transform-set myincset

match address 100

!

interface Tunnel10

ip address 10.50.1.1 255.255.255.252

ip pim sparse-mode

tunnel source GigabitEthernet0/0

tunnel destination

!

interface Tunnel20

ip address 10.50.1.5 255.255.255.252

ip pim sparse-mode

tunnel source GigabitEthernet0/2

tunnel mode ipsec ipv4

tunnel destination

tunnel protection ipsec profile PC

!

interface GigabitEthernet0/0

ip address

crypto map myincmap

!

interface GigabitEthernet0/2

ip address

!

access-list 100 permit gre host host

!

I can ping on both side subnet 10.50.1.0/30 and 10.50.1.4/30.

both VPN are UP:

RT1#sh crypto session

Crypto session current status

Interface: GigabitEthernet0/0

Session status: UP-ACTIVE

Peer: port 500

IKEv1 SA: local /500 remote /500 Active

IPSEC FLOW: permit 47 host host

Active SAs: 2, origin: crypto map

Interface: Tunnel20

Session status: UP-ACTIVE

Peer: port 500

IKEv1 SA: local /500 remote /500 Active

IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

Active SAs: 2, origin: crypto map

RT1#

and following eigrp 1 routing table:

D EX 10.23.1.248/32 [170/26882560] via 10.50.1.2, 05:11:27, Tunnel10

D EX 10.23.5.0/24 [170/26882560] via 10.50.1.2, 05:11:27, Tunnel10

172.20.0.0/16 is variably subnetted, 3 subnets, 2 masks

D EX 172.20.2.0/24 [170/26882560] via 10.50.1.2, 05:11:27, Tunnel10

To switch from tunnel10 to tunnel20, i added low bw on tunnel10 both side. SO on both side all prefixes are switched to tunnel20.

should it be a good configuration ?

Thanks

JP

olpeleri · ‎04-26-2012

Crypto config looks good.

So basically you have a different EIGRP metric between interfaces. U need to be make sure the metric is the same if you want equal load balancing.

If you want unequal load balancing then you could use the following config:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009437d.shtml