Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5848
Views
10
Helpful
4
Replies

IPSec VPN - 'set peer' command

jucpci001
Level 1
Level 1

‎06-08-2015 08:33 PM - edited ‎02-21-2020 08:16 PM

Hi - I have below config on my VPN router and it has tunnels to two peers.

When is initiate interesting traffic -

which peer it selects,106 or 26 ?

what is the selection process if more than two peers are defined ?

If I swap both, will the traffic reach the first peer i.e. 26 ?

 

----------------------------------

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key XXXX address 10.56.35.106
crypto isakmp key XXXX address 10.56.85.26
crypto isakmp keepalive 60 periodic
!
crypto ipsec transform-set SC-XXXXXXXX esp-3des esp-sha-hmac
!
crypto map SC 10 ipsec-isakmp
 description <Primary>
 set peer 10.56.35.106
 set peer 10.56.85.26
 set transform-set SC-XXXXXXXX
 match address hxyxd

!
interface GigabitEthernet0/1
 description <<Vpn Rtr to CE Routers>>
 ip address 10.36.27.59 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip mroute-cache
 duplex auto
 speed auto
 media-type rj45
 crypto map SC
!

ip access-list extended hxyxd
  permit ip 172.20.x.0 0.0.0.255 10.0.0.0 0.255.255.255
 permit ip 172.20.x.0 0.0.0.255 10.0.0.0 0.255.255.255

Regards, Jr.J

 

Labels:
0 Helpful
4 Replies 4

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎06-08-2015 11:24 PM

Have a look at the command reference, your questions are answered there

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1966957785

Use the "default" keyword peer to influence selection process.

 

jucpci001
Level 1
Level 1
In response to Marcin Latosiewicz

‎06-09-2015 02:13 AM

Thanks Marcin !

And without "default' keyword will first peer be selected ?

Can I use below ?

set peer 10.56.35.106
set peer 10.56.85.26 default

 

Regards, Jr.J

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to jucpci001

‎06-09-2015 04:16 AM

Check the link I sent you :-)

For crypto map entries created with the crypto map map-name seq-num ipsec-isakmp command, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the router heard from (received either traffic or a negotiation request from) for a given data flow. If the attempt fails with the first peer, Internet Key Exchange (IKE) tries the next peer on the crypto map list.

 

And, yes, you can use that kind of config. 

jucpci001
Level 1
Level 1
In response to Marcin Latosiewicz

‎06-09-2015 04:27 AM

Thank you, let me see by changing it to 'set peer 10.56.85.26 default'

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents