06-03-2009 08:35 AM - edited 02-21-2020 04:15 PM
How do you configure IPSEC to encrypt all traffic form one end of your network to the next
Solved! Go to Solution.
06-04-2009 02:11 AM
You create an "Interesting Address" access list and call this access list in your crypto config.
HTH>
06-04-2009 02:11 AM
You create an "Interesting Address" access list and call this access list in your crypto config.
HTH>
09-30-2013 09:24 AM
we have two Router in DC setup. In router-1, SP1 link is terminated & in Router2, SP2 link is terminated.in both the router, with MPLS cloud, BGP is configured.
In Router1 VLAN2 IP: 172.26.0.253.
In Router2 VLAN2 IP: 172.26.4.253.
DC subnet: 172.24.0.0/24
Branch End LAN Segment: 172.27.1.128/27
Now from branch, we trying to implement IPSEC tunnel for DC Segment. SP1 & SP2 is configured as Active-standby.
In DC both Router config:
crypto isakmp policy 10
hash md5
encr 3des
authentication pre-share
crypto isakmp key <
crypto isakmp keepalive 30 5
crypto ipsec transform-set APDRPSET esp-3des esp-sha-hmac
crypto dynamic-map APDRPMAP 6
set transform-set APDRPSET
crypto map APDRPMAIN 6 ipsec-isakmp dynamic APDRPMAP
int vlan 2
crypto map APDRPMAIN
IN Branch Router Config:
crypto isakmp policy 10
hash md5
encr 3des
authentication pre-share
crypto isakmp keepalive 30 5
crypto isakmp key <
crypto isakmp key <
crypto ipsec transform-set APDRPSET esp-3des esp-sha-hmac
mode tunnel
no crypto map APDRPMAP 6 ipsec-isakmp
set peer 172.26.0.253
set transform-set APDRPSET
match address 130
crypto map APDRPMAP 12 ipsec-isakmp
set peer 172.26.4.253
set transform-set APDRPSET
match address 130
access-list 130 permit ip 172.27.1.128 0.0.0.31 172.24.0.0 0.0.255.255
access-list 130 permit ip 172.17.220.32 0.0.0.3 172.24.0.0 0.0.255.255
aaccess-list 130 deny ip 172.27.1.128 0.0.0.31 any
access-list 130 deny ip 172.17.220.32 0.0.0.3 any
int gi 0/0
crypto map APDRPMAP
int gi 0/1 --> Secondary MPLS link.
crypto map APDRPMAP
Problem:
When, in branch end, both the link is up, it is creating tunnel with DC Primary Router IP: 172.26.0.253 & working perfectly fine.
When in branch end, primary link is going down, traffic towards sourcing DC is going via gi0/1. in Crypto, it is trying to peering with Primary DC Router IP only instead of Secondary DC-Router IP & resulting which, tunnel is not able to form.the state is MM_No State.
When, primary link is coming up, it is peering with 172.26.0.253 again & working fine.
we have tried to clear to crypto sessions in both the cases but didnt get expected result.
Pls let us know, where exactly we are doing wrong.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide