There has to be more to it than this.

So when using EIGRP, how do I tell it to.....

A. Use G0/0 as primary, and G0/1 as secondary.

B. How do I set it so that if it fails over to G0/1, that as soon as G0/0 becomes available, it uses G0/0 instead?

You don't tell it, if you have EIGRP implemented in your network it will automatically detect that the route via Primary VPN no longer exists and will know about the route through the secondary VPN and it will automatically start using that route.

EIGRP will choose the best route so if your point to point circuit has a decent bandwidth and you have the interfaces configured properly then that will be the route EIGRP will choose. 

Before you even get to EIGRP and/or OSPF, you need to setup GRE/IPSec between them.  Then you use either EIRGP or OSPF to control the route.  Now if you want to make the private circuit the primary link, just give it a lower metric than the Internet. 

That way, the GRE/IPSec is just a transport mechanism while routing control the path it will take.  In this case, failover VPN between private circuit and the Internet is transparent and automatic.

Easy right?

Hello,

An example from CCO:

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/2_p2pGRE_Phase2_external_docbase_0900e4b180a3efee_4container_external_docbase_0900e4b180ad8740.html#wp117385

U can use either gre or ipsec mode ipv4. GRE allows you to encapsulate anything [ cdp - ipv4 - ipv6] without any impact on scalability

Cheers.

I have not gotten this to work, and it's frustrating trying to make the same goal with different technologies.

The TAC person I'm working with has me trying to do this with SLA. Which I thought I understood, but still cannot get it to work.

The config posted by olpeleri looks like it should work, but it's goint to require a whole new config than the road I've been going down.

I'm seriously disappointed with my TAC engineer.

Just wondering what's the case id?

I don't really want to open a can of worms here. But I do need to make progress on this issue.

Case #623385665

I'm going to backup my current config using SLA, and try to work of the config example you provided. Hopefully I can make a bit of progress today.

OK, stuck.

I'm following the document you posted, and I get lost on the tunnel interface configuration. Mostly becuase I don't knwo where that IP I'm assigning to the tunnel comes from.

I have a LAN interface and a WAN intervace on the router. I'm assuming the IP's I use as endpints for the tunnel are the LAN interfaces.

So when I create the tunnel interface, it has a different IP, I don't know if this is a made up IP, or should be associated to a segment on my LAN or WAN interface. Just confused here.

Hey Joe,

It's a bit more than 22pm here in Europe. let me prepare you some annotated templates tomorrow. That should help you understanding what to configure and why.

Cheers

Olivier

Let's imagine 2 routers. [ here I dont use a legacy config based on crypto maps]

R100

E0/0 WAN1 IP 1.1.1.1 next-hop 1.1.1.2

E0/1 WAN2 IP 1.1.1.5 next-hop 1.1.1.6

R102

E0/0 WAN1 2.2.2.6 next-hop 2.2.2.5

E0/1 WAN2 2.2.2.2 next-hop 2.2.2.1

R100 config

Firstly we configure the isakmp policy.

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

Then we define the pre-shared-keys for the peer IP's and other settings

crypto isakmp key cisco address 2.2.2.6

crypto isakmp key cisco address 2.2.2.2

crypto isakmp keepalive 60 5

We create an ipsec profile

crypto ipsec transform-set HIGH-ENCRYPTION esp-aes 256 esp-sha-hmac

!

crypto ipsec profile tp

set transform-set HIGH-ENCRYPTION

Let's make sure the routing is right.

We should be able to reach tunnel0 destination via WAN1 [e0/0] interface.

ip route 2.2.2.6 255.255.255.255 1.1.1.2 name R102_WAN1_VIA_ETH0

Tunnel1 destination shold be reachable via WAN2[e0/1] interface

ip route 2.2.2.2 255.255.255.255 1.1.1.6 name R102_WAN1_VIA_ETH1

Now we can create the tunnel and bind the ipsec profile to it.

The ip address configured on the tunnel will be used for the eigrp neighborship later on

Tunnel source is the WAN1 ip address

Tunnel destination is the WAN1 ip address of the remote router [ Tunnel0 traffic will uses WAN1 interface]

interface Tunnel0

ip address 10.10.10.9 255.255.255.252

ip mtu 1400

tunnel source Ethernet0/0

tunnel destination 2.2.2.6

tunnel protection ipsec profile tp

!

The ip address configured on the tunnel will be used for the eigrp neighborship later on

Tunnel source is the local WAN2 ip address

Tunnel destination is the WAN2 ip address of the remote router

[Tunnel1 traffic will uses WAN2 interface]

interface Tunnel1

ip address 10.10.10.2 255.255.255.252

ip mtu 1400

tunnel source Ethernet0/1

tunnel destination 2.2.2.2

tunnel protection ipsec profile tp

!

Last we configure the routing protocol on that box.

router eigrp 100

network 10.10.10.0 0.0.0.3 ! Tunnel subnet to form eigrp adjacency

network 10.10.10.8 0.0.0.3  ! Tunnel subnet to form eigrp adjacency

network 192.168.100.0 ! My local lan subnet to advertise

R102 config

Crypto config - here of course psk secrets are using the address from the other side

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp key cisco address 1.1.1.1

crypto isakmp key cisco address 1.1.1.5

crypto isakmp keepalive 60 5

crypto ipsec transform-set HIGH-ENCRYPTION esp-aes 256 esp-sha-hmac

!

crypto ipsec profile tp

set transform-set HIGH-ENCRYPTION

Routing is adapted accordingly

WAN1 peer ip via WAN1 interface

WAN2 peer ip via WAN2 interface

ip route 1.1.1.1 255.255.255.255 2.2.2.5 name R100WAN1_VIA_E0/0

ip route 1.1.1.5 255.255.255.255 2.2.2.1 name R100WAN2_VIA_E0/1

Tunnels are created the same way. Here of course the tunnel destination uses the public IP's on the other side

the tunnel ip addresses are in the same 10.10.10.8/30 and 10.10.10.0/30 subnets in order to form eigrp neighborship

interface Tunnel0

ip address 10.10.10.10 255.255.255.252

ip mtu 1400

tunnel source Ethernet0/0

tunnel destination 1.1.1.1

tunnel protection ipsec profile tp

!

interface Tunnel1

description redundant tunnel

ip address 10.10.10.1 255.255.255.252

ip mtu 1400

tunnel source Ethernet0/1

tunnel destination 1.1.1.5

tunnel protection ipsec profile tp

EIGRP config looks the same. [Here my lan network is 192.168.102.0/24

router eigrp 100

network 10.10.10.0 0.0.0.3

network 10.10.10.8 0.0.0.3

network 192.168.102.0

Then we can see crypto is up

R102#sh crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection    

K - Keepalives, N - NAT-traversal, T - cTCP encapsulation    

X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Tunnel0

Uptime: 00:58:10

Session status: UP-ACTIVE    

Peer: 1.1.1.1 port 500 fvrf: (none) ivrf: (none)

      Phase1_id: 1.1.1.1

      Desc: (none)

  IKEv1 SA: local 2.2.2.6/500 remote 1.1.1.1/500 Active

          Capabilities:(none) connid:1002 lifetime:23:01:49

  IPSEC FLOW: permit 47 host 2.2.2.6 host 1.1.1.1

        Active SAs: 4, origin: crypto map

        Inbound:  #pkts dec'ed 652 drop 0 life (KB/Sec) 4450416/3503

        Outbound: #pkts enc'ed 654 drop 0 life (KB/Sec) 4450416/3503

Interface: Tunnel1

Uptime: 00:53:37

Session status: UP-ACTIVE    

Peer: 1.1.1.5 port 500 fvrf: (none) ivrf: (none)

      Phase1_id: 1.1.1.5

      Desc: (none)

  IKEv1 SA: local 2.2.2.2/500 remote 1.1.1.5/500 Active

          Capabilities:(none) connid:1003 lifetime:23:03:52

  IPSEC FLOW: permit 47 host 2.2.2.2 host 1.1.1.5

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 649 drop 0 life (KB/Sec) 4467424/382

        Outbound: #pkts enc'ed 662 drop 0 life (KB/Sec) 4467422/382

  EIGRP neighbors are up

R102#sh ip eigrp neighbors

EIGRP-IPv4 Neighbors for AS(100)

H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq

                                            (sec)         (ms)       Cnt Num

1   10.10.10.2              Tu1               13 00:49:12    8  1362  0  13

0   10.10.10.9              Tu0               10 00:49:12    8  1362  0  14

R102#

EIGRP routing will load-balance traffic via both tunnels which are sourced from both WAN interfaces.

R102#sh ip route eigrp

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is not set

D     192.168.100.0/24 [90/26905600] via 10.10.10.9, 00:48:03, Tunnel0

                       [90/26905600] via 10.10.10.2, 00:48:03, Tunnel1

As you can see... Simple and easy to achieve!

Regards

Olivier

CCIE Security#20306

Thank you for this.

I've been in class all morning, and now I have an emergancy so I have to go on site. So I'll get on this as soon as I can and post results.

Olivier -

I wish I had fewer interruptions on this.

Anyway, I got the tunnels to come up, but no routing.

Local2921# sho crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection    

K - Keepalives, N - NAT-traversal, T - cTCP encapsulation    

X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Tunnel12

Uptime: 00:22:14

Session status: UP-ACTIVE    

Peer: 2.1.0.2 port 500 fvrf: (none) ivrf: (none)

      Phase1_id: 2.1.0.2

      Desc: (none)

  IKEv1 SA: local 1.1.0.2/500 remote 2.1.0.2/500 Active

          Capabilities:D connid:1002 lifetime:23:37:45

  IPSEC FLOW: permit 47 host 1.1.0.2 host 2.1.0.2

        Active SAs: 4, origin: crypto map

        Inbound:  #pkts dec'ed 289 drop 0 life (KB/Sec) 4347882/2265

        Outbound: #pkts enc'ed 290 drop 0 life (KB/Sec) 4347882/2265

Interface: Tunnel122

Uptime: 00:22:19

Session status: UP-ACTIVE    

Peer: 2.2.0.2 port 500 fvrf: (none) ivrf: (none)

      Phase1_id: 2.2.0.2

      Desc: (none)

  IKEv1 SA: local 1.2.0.2/500 remote 2.2.0.2/500 Active

          Capabilities:D connid:1001 lifetime:23:37:40

  IPSEC FLOW: permit 47 host 1.2.0.2 host 2.2.0.2

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 289 drop 0 life (KB/Sec) 4160919/2260

        Outbound: #pkts enc'ed 289 drop 0 life (KB/Sec) 4160919/2260

Local2921#sho ip route eigrp

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is not set

Local2921#sho ip route eigrp

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is not set

      1.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C        1.1.0.0/24 is directly connected, GigabitEthernet0/0

L        1.1.0.2/32 is directly connected, GigabitEthernet0/0

C        1.2.0.0/24 is directly connected, GigabitEthernet0/1

L        1.2.0.2/32 is directly connected, GigabitEthernet0/1

      2.0.0.0/24 is subnetted, 2 subnets

S        2.1.0.0 [1/0] via 3.0.0.2

S        2.2.0.0 [1/0] via 3.0.0.2

      3.0.0.0/24 is subnetted, 1 subnets

S        3.0.0.0 [1/0] via 1.1.0.1

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C        10.250.1.0/30 is directly connected, Tunnel12

L        10.250.1.1/32 is directly connected, Tunnel12

C        10.250.1.4/30 is directly connected, Tunnel122

L        10.250.1.5/32 is directly connected, Tunnel122

      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.1.0/24 is directly connected, GigabitEthernet0/2

L        192.168.1.1/32 is directly connected, GigabitEthernet0/2

Local2921#

sh ip eigrp neighbors shows nothing, and neither does the sho ip route eigrp.

I assume I don't need a static route, since we are using eigrp, and I don't know how to troubleshoot eigrp.

Local router....

router eigrp 100

network 10.250.1.0 0.0.0.3 #10.250.1.1 is the IP of the tunnel12

network 10.250.1.4 0.0.0.3 #10.250.1.5 is the ip of the tunnel122

network 192.168.1.0 # is the LAN segment that needs to be routed.

Remote router......

router eigrp 100

network 10.250.1.8 0.0.0.3 #10.250.1.9 is the IP of the tunnel0

network 10.250.1.12 0.0.0.3 #10.250.1.13 is the IP of the tunnel1

network 192.168.12.0 # is the LAN segment that needs to be routed.

Thank you so much for your help.