06-08-2015 08:33 PM - edited 02-21-2020 08:16 PM
Hi - I have below config on my VPN router and it has tunnels to two peers.
When is initiate interesting traffic -
which peer it selects,106 or 26 ?
what is the selection process if more than two peers are defined ?
If I swap both, will the traffic reach the first peer i.e. 26 ?
----------------------------------
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXX address 10.56.35.106
crypto isakmp key XXXX address 10.56.85.26
crypto isakmp keepalive 60 periodic
!
crypto ipsec transform-set SC-XXXXXXXX esp-3des esp-sha-hmac
!
crypto map SC 10 ipsec-isakmp
description <Primary>
set peer 10.56.35.106
set peer 10.56.85.26
set transform-set SC-XXXXXXXX
match address hxyxd
!
interface GigabitEthernet0/1
description <<Vpn Rtr to CE Routers>>
ip address 10.36.27.59 255.255.255.240
no ip redirects
no ip unreachables
no ip mroute-cache
duplex auto
speed auto
media-type rj45
crypto map SC
!
ip access-list extended hxyxd
permit ip 172.20.x.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 172.20.x.0 0.0.0.255 10.0.0.0 0.255.255.255
Regards, Jr.J
06-08-2015 11:24 PM
Have a look at the command reference, your questions are answered there
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1966957785
Use the "default" keyword peer to influence selection process.
06-09-2015 02:13 AM
Thanks Marcin !
And without "default' keyword will first peer be selected ?
Can I use below ?
set peer 10.56.35.106
set peer 10.56.85.26 default
Regards, Jr.J
06-09-2015 04:16 AM
Check the link I sent you :-)
For crypto map entries created with the crypto map map-name seq-num ipsec-isakmp command, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the router heard from (received either traffic or a negotiation request from) for a given data flow. If the attempt fails with the first peer, Internet Key Exchange (IKE) tries the next peer on the crypto map list.
And, yes, you can use that kind of config.
06-09-2015 04:27 AM
Thank you, let me see by changing it to 'set peer 10.56.85.26 default'
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide