Solved: Dual ISP Dual VPN Redundancy ISR 4431

JimBCC · ‎09-04-2019

I have a head end FW(HQFW) that I am trying to create a VPN to from a ISR 4431. I have dual ISP's on the ISR4431 and need to create 2 VPN's back to the HQFW. I have created a Tunnel0 which a /30 IP that can communicate back to the HQ and also provide OSPF routes.**Working

The second tunnel (Tunnel1) needs to go back to HQFQ but this is where I am having issues

The problem is that I have to terminate on the same public IP on HQFW and I have a single route on the ISR4431 that points to go out 1 of the ISP interfaces. It appears that the other tunnel will not come unless the other route goes away. It seems to me that I need to use a VRF but not sure how and where that would be implemented out so that I can still run OSPF across both links.

Rob Ingram · ‎09-05-2019

Ok, you'll need to define a keyring and tie that to the VRF, the keyring then needs referencing in an ISAKMP profile.

crypto keyring KEYRING vrf ISP_A
pre-shared-key address 15.15.15.15 key !@!@!@!@

crypto isakmp profile ISAKMP_PROF
vrf CUST-A
keyring KEYRING
match identity address 15.15.15.15 255.255.255.255 ISP_A

HTH

View solution in original post

Rob Ingram · ‎09-04-2019

Hi,

It sounds like you are referring to a Front Door VRF. Here is an example of fVRF. You'll probably need to create 2 fVRF and then define a default route in each of the VRF for the 2 ISPs.

Any problems, post your configuration.

HTH

JimBCC · ‎09-04-2019

I looked at the vrf stuff and this is what I came up with. Here is a small blurb from my config.

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key *SECRETKEY* address 1.1.1.1
!
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set TS
!
!
!
interface Tunnel0
ip address 192.168.1.2 255.255.255.252
ip vrf forwarding CUST-A
tunnel source 2.2.2.2
tunnel mode ipsec ipv4
tunnel destination 1.1.1.1
tunnel vrf ISP_A
tunnel protection ipsec profile VTI

interface GigabitEthernet0/0/2
description ISP_A
ip vrf forwarding ISP_A
ip address 2.2.2.2 255.255.255.248
no ip unreachables
zone-member security Internet
negotiation auto

ip route vrf ISP_A 1.1.1.1 255.255.255.255 2.2.2.1

But the debugs tells me that it does not have a Cert or Pre-shared key.

ISAKMP: (0):Can not start Aggressive mode, trying Main mode.

ISAKMP-ERROR: (0):No pre-shared key with 1.1.1.1!

ISAKMP-ERROR: (0):No Cert or pre-shared address key.

ISAKMP-ERROR: (0):construct_initial_message: Can not start Main mode

Tunnel wont come up.

Rob Ingram · ‎09-05-2019

Ok, you'll need to define a keyring and tie that to the VRF, the keyring then needs referencing in an ISAKMP profile.

crypto keyring KEYRING vrf ISP_A
pre-shared-key address 15.15.15.15 key !@!@!@!@

crypto isakmp profile ISAKMP_PROF
vrf CUST-A
keyring KEYRING
match identity address 15.15.15.15 255.255.255.255 ISP_A

HTH

JimBCC · ‎09-05-2019

Thanks for all your help. The keychain solved my issue. Since I put the Tunnel0 into a vrf the key does not need to be in that VRF only the tunneled VRF.

crypto keyring KEYRING vrf ISP_A
pre-shared-key address 15.15.15.15 key !@!@!@!@

crypto isakmp profile ISAKMP_PROF_ISPA
keyring KEYRING
match identity address 15.15.15.15 255.255.255.255 ISP_A