Dear networkers,
We have a running VPN over Internet between our HQ
and a remote branch which works fine.
The HQ and remote branch use static IP addresses
and the VPN is IPSEC with manual keying.
The VPN endpoints are a CISCO836 at the remote branch
(connected to the Internet via ADSL/ISDN (3)) and a
at the HQ: CISCO2811HSEC (connected to the Internet via
Ethernet (1)) which is also used as primary gateway
to the Internet. See map below for details.
Recently we established a second/backup Internet link
for availibility purposes using a CISCO2620XM
(connected to the Internet via E1 (2)). The setup
and routing is fine, so we receive packets over (1)
when the primary connection is up and running - and
over (2) when the primary link (1) is down.
Now we experienced problems with the VPN connection
when IPSEC packets are routed over the backup link
instead over the primary link.
It looks like the CISCO836 is not able to establish
the VPN link with CISCO2820 because packets are
coming out from 1.2.3.1 (fa0/0@CISCO2820) instead
of 1.2.4.1 (fa0/1@CISCO2820) which is the configured
peer.
We already took a look at "IPSEC preferred peer"
(http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123ne...)
with DPD but this is not an option because
we want to use manual keying.
Also configuring multiple peers in a crypto map is not possible with manual keying.
Here comes my question: is it possible to "bind"
the IPSEC endpoint to a specific IP address (i.e. a
loopback interface address on the CISCO2820) so that
packets always flowing from/to this address only?
Cheers,
Peter
PS: Here is the network topology map...
+- - - - +
|HQ-Cloud|
+- -+- - +
HQ |
----------+----------+--------+----------
fa0/0 | 1.2.3.1/24 | fa0/0
+----+----+ +----+----+
|CISCO2811| |CISCO2620|
| VPN SEC | | NON VPN |
+----+----+ +----+----+
fa0/1 \ 1.2.4.1/24 /
(1) \ / (2)
\ /
I N T E R N E T
/
/
\ (3)
\ 1.2.5.1/24
+----+---+
|CISCO836|
+---+----+
| REMOTE BRANCH
-------+-------
|
+- -+- -+
|Branch |
| Cloud |
+- - - -+
