10-16-2012 03:51 PM
I have two sites with 2921 IPSec Routers. Each router has 3 ethernet interfaces. One LAN, one Internet, and one Ethernet based private circuit.
I need to do site to site VPN between these routers, over the private circuit. However, that circuit fails on rare occation, so I want to have a failover VPN to go over the Internet as a backup.
It doesn't matter to me if it's primary / secondary failover or if it's load balanced with failover. What is critical is if one circuit fails, my remote site continues to communicate with the main office.
HSRP looks like I need two routers and the HSRP protocol monitors multiple LAN interfaces, and I only have the one.
I've opened a case with TAC, but it's been a week without any progress.
Surely this isn't that difficult to do.
Solved! Go to Solution.
11-15-2012 08:20 AM
Hey Joe,
router eigrp 100
network 10.250.1.0 0.0.0.3 #10.250.1.1 is the IP of the tunnel12
network 10.250.1.4 0.0.0.3 #10.250.1.5 is the ip of the tunnel122
network 192.168.1.0 # is the LAN segment that needs to be routed.
Remote router......
router eigrp 100
network 10.250.1.8 0.0.0.3 #10.250.1.9 is the IP of the tunnel0
network 10.250.1.12 0.0.0.3 #10.250.1.13 is the IP of the tunnel1
network 192.168.12.0 # is the LAN segment that needs to be routed.
Normally both sides should be in the same NW subnet
eg if
tu 12 is connected to tu0
then
one side have 10.250.1.1 and the other 10.250.1.2
if tu122 is connected to tu1
then
10.250.1.5 and the other side is 10.250.1.6
both eigrp network statement should be the same
10-16-2012 04:33 PM
Use EIGRP or OSPF, if traffic over one VPN failes routing protocol will re converge and send it over the second VPN. I had this kind of setup at one of my jobs. Approximately 200 VPN's like this. EIGRP convergence was really fast. We would drop like one or two packets at times none.
10-17-2012 11:31 AM
There has to be more to it than this.
So when using EIGRP, how do I tell it to.....
A. Use G0/0 as primary, and G0/1 as secondary.
B. How do I set it so that if it fails over to G0/1, that as soon as G0/0 becomes available, it uses G0/0 instead?
10-17-2012 02:00 PM
You don't tell it, if you have EIGRP implemented in your network it will automatically detect that the route via Primary VPN no longer exists and will know about the route through the secondary VPN and it will automatically start using that route.
EIGRP will choose the best route so if your point to point circuit has a decent bandwidth and you have the interfaces configured properly then that will be the route EIGRP will choose.
10-17-2012 05:18 PM
Before you even get to EIGRP and/or OSPF, you need to setup GRE/IPSec between them. Then you use either EIRGP or OSPF to control the route. Now if you want to make the private circuit the primary link, just give it a lower metric than the Internet.
That way, the GRE/IPSec is just a transport mechanism while routing control the path it will take. In this case, failover VPN between private circuit and the Internet is transparent and automatic.
Easy right?
10-17-2012 10:30 PM
Hello,
An example from CCO:
U can use either gre or ipsec mode ipv4. GRE allows you to encapsulate anything [ cdp - ipv4 - ipv6] without any impact on scalability
Cheers.
11-06-2012 12:01 PM
I have not gotten this to work, and it's frustrating trying to make the same goal with different technologies.
The TAC person I'm working with has me trying to do this with SLA. Which I thought I understood, but still cannot get it to work.
The config posted by olpeleri looks like it should work, but it's goint to require a whole new config than the road I've been going down.
I'm seriously disappointed with my TAC engineer.
11-07-2012 06:49 AM
Just wondering what's the case id?
11-07-2012 08:36 AM
I don't really want to open a can of worms here. But I do need to make progress on this issue.
Case #623385665
I'm going to backup my current config using SLA, and try to work of the config example you provided. Hopefully I can make a bit of progress today.
11-07-2012 12:47 PM
OK, stuck.
I'm following the document you posted, and I get lost on the tunnel interface configuration. Mostly becuase I don't knwo where that IP I'm assigning to the tunnel comes from.
I have a LAN interface and a WAN intervace on the router. I'm assuming the IP's I use as endpints for the tunnel are the LAN interfaces.
So when I create the tunnel interface, it has a different IP, I don't know if this is a made up IP, or should be associated to a segment on my LAN or WAN interface. Just confused here.
11-07-2012 01:26 PM
Hey Joe,
It's a bit more than 22pm here in Europe. let me prepare you some annotated templates tomorrow. That should help you understanding what to configure and why.
Cheers
Olivier
11-07-2012 11:38 PM
Let's imagine 2 routers. [ here I dont use a legacy config based on crypto maps]
R100
E0/0 WAN1 IP 1.1.1.1 next-hop 1.1.1.2
E0/1 WAN2 IP 1.1.1.5 next-hop 1.1.1.6
R102
E0/0 WAN1 2.2.2.6 next-hop 2.2.2.5
E0/1 WAN2 2.2.2.2 next-hop 2.2.2.1
R100 config
Firstly we configure the isakmp policy.
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
Then we define the pre-shared-keys for the peer IP's and other settings
crypto isakmp key cisco address 2.2.2.6
crypto isakmp key cisco address 2.2.2.2
crypto isakmp keepalive 60 5
We create an ipsec profile
crypto ipsec transform-set HIGH-ENCRYPTION esp-aes 256 esp-sha-hmac
!
crypto ipsec profile tp
set transform-set HIGH-ENCRYPTION
Let's make sure the routing is right.
We should be able to reach tunnel0 destination via WAN1 [e0/0] interface.
ip route 2.2.2.6 255.255.255.255 1.1.1.2 name R102_WAN1_VIA_ETH0
Tunnel1 destination shold be reachable via WAN2[e0/1] interface
ip route 2.2.2.2 255.255.255.255 1.1.1.6 name R102_WAN1_VIA_ETH1
Now we can create the tunnel and bind the ipsec profile to it.
The ip address configured on the tunnel will be used for the eigrp neighborship later on
Tunnel source is the WAN1 ip address
Tunnel destination is the WAN1 ip address of the remote router [ Tunnel0 traffic will uses WAN1 interface]
interface Tunnel0
ip address 10.10.10.9 255.255.255.252
ip mtu 1400
tunnel source Ethernet0/0
tunnel destination 2.2.2.6
tunnel protection ipsec profile tp
!
The ip address configured on the tunnel will be used for the eigrp neighborship later on
Tunnel source is the local WAN2 ip address
Tunnel destination is the WAN2 ip address of the remote router
[Tunnel1 traffic will uses WAN2 interface]
interface Tunnel1
ip address 10.10.10.2 255.255.255.252
ip mtu 1400
tunnel source Ethernet0/1
tunnel destination 2.2.2.2
tunnel protection ipsec profile tp
!
Last we configure the routing protocol on that box.
router eigrp 100
network 10.10.10.0 0.0.0.3 ! Tunnel subnet to form eigrp adjacency
network 10.10.10.8 0.0.0.3 ! Tunnel subnet to form eigrp adjacency
network 192.168.100.0 ! My local lan subnet to advertise
R102 config
Crypto config - here of course psk secrets are using the address from the other side
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.1
crypto isakmp key cisco address 1.1.1.5
crypto isakmp keepalive 60 5
crypto ipsec transform-set HIGH-ENCRYPTION esp-aes 256 esp-sha-hmac
!
crypto ipsec profile tp
set transform-set HIGH-ENCRYPTION
Routing is adapted accordingly
WAN1 peer ip via WAN1 interface
WAN2 peer ip via WAN2 interface
ip route 1.1.1.1 255.255.255.255 2.2.2.5 name R100WAN1_VIA_E0/0
ip route 1.1.1.5 255.255.255.255 2.2.2.1 name R100WAN2_VIA_E0/1
Tunnels are created the same way. Here of course the tunnel destination uses the public IP's on the other side
the tunnel ip addresses are in the same 10.10.10.8/30 and 10.10.10.0/30 subnets in order to form eigrp neighborship
interface Tunnel0
ip address 10.10.10.10 255.255.255.252
ip mtu 1400
tunnel source Ethernet0/0
tunnel destination 1.1.1.1
tunnel protection ipsec profile tp
!
interface Tunnel1
description redundant tunnel
ip address 10.10.10.1 255.255.255.252
ip mtu 1400
tunnel source Ethernet0/1
tunnel destination 1.1.1.5
tunnel protection ipsec profile tp
EIGRP config looks the same. [Here my lan network is 192.168.102.0/24
router eigrp 100
network 10.10.10.0 0.0.0.3
network 10.10.10.8 0.0.0.3
network 192.168.102.0
Then we can see crypto is up
R102#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Tunnel0
Uptime: 00:58:10
Session status: UP-ACTIVE
Peer: 1.1.1.1 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 1.1.1.1
Desc: (none)
IKEv1 SA: local 2.2.2.6/500 remote 1.1.1.1/500 Active
Capabilities:(none) connid:1002 lifetime:23:01:49
IPSEC FLOW: permit 47 host 2.2.2.6 host 1.1.1.1
Active SAs: 4, origin: crypto map
Inbound: #pkts dec'ed 652 drop 0 life (KB/Sec) 4450416/3503
Outbound: #pkts enc'ed 654 drop 0 life (KB/Sec) 4450416/3503
Interface: Tunnel1
Uptime: 00:53:37
Session status: UP-ACTIVE
Peer: 1.1.1.5 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 1.1.1.5
Desc: (none)
IKEv1 SA: local 2.2.2.2/500 remote 1.1.1.5/500 Active
Capabilities:(none) connid:1003 lifetime:23:03:52
IPSEC FLOW: permit 47 host 2.2.2.2 host 1.1.1.5
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 649 drop 0 life (KB/Sec) 4467424/382
Outbound: #pkts enc'ed 662 drop 0 life (KB/Sec) 4467422/382
EIGRP neighbors are up
R102#sh ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.10.10.2 Tu1 13 00:49:12 8 1362 0 13
0 10.10.10.9 Tu0 10 00:49:12 8 1362 0 14
R102#
EIGRP routing will load-balance traffic via both tunnels which are sourced from both WAN interfaces.
R102#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
D 192.168.100.0/24 [90/26905600] via 10.10.10.9, 00:48:03, Tunnel0
[90/26905600] via 10.10.10.2, 00:48:03, Tunnel1
As you can see... Simple and easy to achieve!
Regards
Olivier
CCIE Security#20306
11-08-2012 01:57 PM
Thank you for this.
I've been in class all morning, and now I have an emergancy so I have to go on site. So I'll get on this as soon as I can and post results.
11-14-2012 04:07 PM
Olivier -
I wish I had fewer interruptions on this.
Anyway, I got the tunnels to come up, but no routing.
Local2921# sho crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Tunnel12
Uptime: 00:22:14
Session status: UP-ACTIVE
Peer: 2.1.0.2 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 2.1.0.2
Desc: (none)
IKEv1 SA: local 1.1.0.2/500 remote 2.1.0.2/500 Active
Capabilities:D connid:1002 lifetime:23:37:45
IPSEC FLOW: permit 47 host 1.1.0.2 host 2.1.0.2
Active SAs: 4, origin: crypto map
Inbound: #pkts dec'ed 289 drop 0 life (KB/Sec) 4347882/2265
Outbound: #pkts enc'ed 290 drop 0 life (KB/Sec) 4347882/2265
Interface: Tunnel122
Uptime: 00:22:19
Session status: UP-ACTIVE
Peer: 2.2.0.2 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 2.2.0.2
Desc: (none)
IKEv1 SA: local 1.2.0.2/500 remote 2.2.0.2/500 Active
Capabilities:D connid:1001 lifetime:23:37:40
IPSEC FLOW: permit 47 host 1.2.0.2 host 2.2.0.2
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 289 drop 0 life (KB/Sec) 4160919/2260
Outbound: #pkts enc'ed 289 drop 0 life (KB/Sec) 4160919/2260
Local2921#sho ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
Local2921#sho ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
1.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 1.1.0.0/24 is directly connected, GigabitEthernet0/0
L 1.1.0.2/32 is directly connected, GigabitEthernet0/0
C 1.2.0.0/24 is directly connected, GigabitEthernet0/1
L 1.2.0.2/32 is directly connected, GigabitEthernet0/1
2.0.0.0/24 is subnetted, 2 subnets
S 2.1.0.0 [1/0] via 3.0.0.2
S 2.2.0.0 [1/0] via 3.0.0.2
3.0.0.0/24 is subnetted, 1 subnets
S 3.0.0.0 [1/0] via 1.1.0.1
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.250.1.0/30 is directly connected, Tunnel12
L 10.250.1.1/32 is directly connected, Tunnel12
C 10.250.1.4/30 is directly connected, Tunnel122
L 10.250.1.5/32 is directly connected, Tunnel122
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/2
L 192.168.1.1/32 is directly connected, GigabitEthernet0/2
Local2921#
sh ip eigrp neighbors shows nothing, and neither does the sho ip route eigrp.
I assume I don't need a static route, since we are using eigrp, and I don't know how to troubleshoot eigrp.
Local router....
router eigrp 100
network 10.250.1.0 0.0.0.3 #10.250.1.1 is the IP of the tunnel12
network 10.250.1.4 0.0.0.3 #10.250.1.5 is the ip of the tunnel122
network 192.168.1.0 # is the LAN segment that needs to be routed.
Remote router......
router eigrp 100
network 10.250.1.8 0.0.0.3 #10.250.1.9 is the IP of the tunnel0
network 10.250.1.12 0.0.0.3 #10.250.1.13 is the IP of the tunnel1
network 192.168.12.0 # is the LAN segment that needs to be routed.
Thank you so much for your help.
11-15-2012 08:20 AM
Hey Joe,
router eigrp 100
network 10.250.1.0 0.0.0.3 #10.250.1.1 is the IP of the tunnel12
network 10.250.1.4 0.0.0.3 #10.250.1.5 is the ip of the tunnel122
network 192.168.1.0 # is the LAN segment that needs to be routed.
Remote router......
router eigrp 100
network 10.250.1.8 0.0.0.3 #10.250.1.9 is the IP of the tunnel0
network 10.250.1.12 0.0.0.3 #10.250.1.13 is the IP of the tunnel1
network 192.168.12.0 # is the LAN segment that needs to be routed.
Normally both sides should be in the same NW subnet
eg if
tu 12 is connected to tu0
then
one side have 10.250.1.1 and the other 10.250.1.2
if tu122 is connected to tu1
then
10.250.1.5 and the other side is 10.250.1.6
both eigrp network statement should be the same
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide