12-08-2003 03:29 AM - edited 02-21-2020 12:54 PM
Hi,
R1 have one interface & R2 have 2 interfaces, all interface are accessible from Internet.
Curently managed to build IPSEC between R1 & R1 on inteface one.
For redundancy I would like to build dual tunnel between 2 sites. It mean router R1 cryptom map will have two peers to different interface IP.
Will it work for both manual IPSEC and IKE mode ? or it just work for IKE only ?
I try on the manual IPSEC, it does not work and error message of duplicate sa appear.
Thanks
ROUTER 1
----------
crypto map Node15 21 ipsec-manual
set peer 203.92.2.A
set session-key inbound esp 303 cipher xxxxx authenticator xxxxx
set session-key outbound esp 302 cipher xxxxx authenticator xxxxx
set transform-set ESP_md5_des
match address 121
crypto map Node15 22 ipsec-manual
set peer 203.92.2.B
set session-key inbound esp 403 cipher xxxxx authenticator xxxxxx
set session-key outbound esp 402 cipher xxxxx authenticator xxxxx
set transform-set ESP_md5_des
match address 121
interface fas0/0
cypto map Node15
ROUTER 2
------------
crypto map Node16 21 ipsec-manual
set peer 203.92.1.A
set session-key inbound esp 302 cipher xxxxx authenticator xxxxx
set session-key outbound esp 303 cipher xxxxxx authenticator xxxxx
set transform-set ESP_md5_des
match address 121
crypto map Node16 22 ipsec-manual
set peer 203.92.1.A
set session-key inbound esp 402 cipher xxxxx authenticator xxxxx
set session-key outbound esp 403 cipher xxxxx authenticator xxxxx
set transform-set ESP_md5_des
match address 121
interface fas0/1
cypto map Node16
interface fas0/2
cypto map Node16
12-08-2003 05:29 AM
Hi,
You can write multiple peers for a crypto map when using IKE. for examp:
crypto map Node15 21 ipsec-isakmp
set peer 203.92.2.A
set peer 203.92.2.B
...
or there is another way: you can use a loopback interface on R2 as tunnel endpoint. first define a loopback interface on R2, for ex loopback1.Then write the command "crypto map Node16 local-address Loopback1" on R2 and apply your crypto to both interfaces. Then on your R1, make only one crypto map and set peer address to R2's loopback1 address.
the command "crypto map Node16 local-address Loopback1" changes the tunnel endpoint address on R2.
hope this helps...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide