Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
541
Views
3
Helpful
1
Replies

How to build 2 dynamic VPN via 2 WAN interface to same peer ip?

Tzy Chun Chong
Level 1
Level 1

‎04-16-2015 01:01 AM

Hi Experts.

I got a IOS router with 2x 3G Cellular interfaces. Our plan is to use 1 Cellular for user data and another Cellular for managment traffic. We plan to build the 2x dynamic VPN (since the 3G are dynamic WAN IP) to the HQ ASA firewall.

My question is below.

How I can ensure the management traffic can triggered the second VPN tunnel via Cellular 0/2/0(2nd link) if the peer ip are the same ASA firewall outside( public) IP?

The default route are preferred over to Cellular 0/1/0, so the routing to 27.124.85.128 will follow cellular0/1/0. Problem is how I can make the second policy use the Cellular0/2/0 interface since I can't specify the source interface? When ACL102 matches it triggered the policy for VPN establishing target to 27.124.85.128 and again it will use the Cellular0/1/0 to build the dynamic VPN since this is the preferred egress interface.

How to build 2nd VPN via different WAN interface if it is pointing to the same peer ip?

 

crypto map USER_DATA 2 ipsec-isakmp
 description Dynamic MGMT Tunnel to FW-BELM
 set peer 27.124.85.128 (sample IP)
 set transform-set myset
 match address 101
!

crypto map MGMT_LINK 2 ipsec-isakmp
 description Dynamic MGMT Tunnel to FW-BELM
 set peer 27.124.85.128
 set transform-set myset
 match address 102
!

Labels:
0 Helpful
1 Reply 1

Abhishek Purohit
Level 1
Level 1

‎04-16-2015 07:51 AM

Hi Tzy,

 

Two tunnels for same traffic on a same device is not possible but you can configure a redundancy for the 2 cellular links for the same traffic.

 

But if the traffic are different for both the ACLs, the the tunnels should come up but you need to define routes as to which traffic would use what interface.

if there is a def route pointing to interface cell0/0/1 then all traffic will be taken using that interface, and you would then need to define either a static route for access-list 102 or a route-map to direct the traffic to the cell0/0/2 interface.

 

On the ASA, you just need to configure the settings for a dynamic VPN tunnel.

 

Hope that helps.

 

Cheers,

Abhi

 

Regards, Abhishek Purohit CCIE-S- 35269
Customers Also Viewed These Support Documents