Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
692
Views
0
Helpful
1
Replies

IR809 redundant VPN failover to cellular issues

seanwaite
Level 1
Level 1

‎08-30-2017 09:06 AM - edited ‎03-12-2019 04:30 AM

I have 3 IR809 routers that will use directly connected ethernet radios with cellular interface as backup. R1 is the primary (CTU) with R2 & R3 each needing to independantly tunnel back to R1. I have tried ip sla, and while that in itself works, the tunnels themselves are not functioning how I need them. 


For example, if R2's ethernet radio goes down and R2 switches to cellular, I can only get a functioning tunnel if R1's ethernet interface is shut. What I would need is for R1 to accept connections on its cellular from R2 while also connecting via ethernet for R1. Below is the config for R1 abbreviated some;

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 14
crypto isakmp key TestKey address 10.10.7.156
crypto isakmp key TestKey address 10.10.7.157
crypto isakmp key TestKey address 10.190.190.32
crypto isakmp key TestKey address 10.190.190.33
!
crypto ipsec transform-set T1 esp-aes esp-sha-hmac
 mode tunnel
!
crypto ipsec profile IPSEC
 set transform-set T1
!
interface Tunnel0
 ip address 172.10.1.1 255.255.255.248
 tunnel source 10.10.7.155
 tunnel destination 10.10.7.156
!
interface Tunnel1
 ip address 172.20.1.1 255.255.255.248
 tunnel source 10.190.10.31
 tunnel destination 10.170.190.32
!
interface Tunnel2
 ip address 172.30.1.1 255.255.255.248
 tunnel source 10.10.7.155
 tunnel destination 10.10.7.157
!
interface Tunnel3
 ip address 172.40.1.1 255.255.255.248
 tunnel source 10.190.10.31
 tunnel destination 10.190.10.33
!
interface GigabitEthernet0
 ip address 10.10.7.155 255.255.255.0
!
interface Cellular0
 no ip address
!
interface Dialer1
 ip address negotiated
 ip nat outside
!
router eigrp 1
 network 10.10.7.0 0.0.0.255
 network 10.20.1.0 0.0.0.7
 network 10.170.190.0 0.0.0.255
!
ip route 10.20.2.0 255.255.255.248 Tunnel0 track 10
ip route 10.20.3.0 255.255.255.248 Tunnel2 track 11
ip route 10.20.2.0 255.255.255.248 Tunnel1 20
ip route 10.20.3.0 255.255.255.248 Tunnel3 20
ip route 192.168.101.0 255.255.255.224 10.10.7.254
!
ip sla 1
 icmp-echo 10.10.7.156 source-ip 10.10.7.155
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 10.10.7.157 source-ip 10.10.7.155
ip sla schedule 2 life forever start-time now
dialer-list 1 protocol ip permit
!
access-list 1 permit any

 

vpn.jpg

 

 

Basically I can get tunnel functioning if I disconnect or shut down BOTH R1 & R2's eth interfaces, then both will communicate via cellular. The above config is my last attempt thinkign to use 2nd ip sla which did not work as expected. 

Labels:
0 Helpful
1 Reply 1

Mohammad Alhyari
Cisco Employee
Cisco Employee

‎08-31-2017 12:07 AM

If you are using crypto map to encrypt the GRE traffic then please migrate to DVTI that will accept the connection from any interface. Here is an example:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/zZ-Archive/IPsec_Virtual_Tunnel_Interface.html#GUID-86B39E26-3A22-4C4B-871E-588FFCB64FB7

 

HTH

Moh,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents