05-09-2005 09:16 AM - edited 02-21-2020 01:45 PM
Dear networkers,
We have a running VPN over Internet between our HQ
and a remote branch which works fine.
The HQ and remote branch use static IP addresses
and the VPN is IPSEC with manual keying.
The VPN endpoints are a CISCO836 at the remote branch
(connected to the Internet via ADSL/ISDN (3)) and a
at the HQ: CISCO2811HSEC (connected to the Internet via
Ethernet (1)) which is also used as primary gateway
to the Internet. See map below for details.
Recently we established a second/backup Internet link
for availibility purposes using a CISCO2620XM
(connected to the Internet via E1 (2)). The setup
and routing is fine, so we receive packets over (1)
when the primary connection is up and running - and
over (2) when the primary link (1) is down.
Now we experienced problems with the VPN connection
when IPSEC packets are routed over the backup link
instead over the primary link.
It looks like the CISCO836 is not able to establish
the VPN link with CISCO2820 because packets are
coming out from 1.2.3.1 (fa0/0@CISCO2820) instead
of 1.2.4.1 (fa0/1@CISCO2820) which is the configured
peer.
We already took a look at "IPSEC preferred peer"
(http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123ne...)
with DPD but this is not an option because
we want to use manual keying.
Also configuring multiple peers in a crypto map is not possible with manual keying.
Here comes my question: is it possible to "bind"
the IPSEC endpoint to a specific IP address (i.e. a
loopback interface address on the CISCO2820) so that
packets always flowing from/to this address only?
Cheers,
Peter
PS: Here is the network topology map...
+- - - - +
|HQ-Cloud|
+- -+- - +
HQ |
----------+----------+--------+----------
fa0/0 | 1.2.3.1/24 | fa0/0
+----+----+ +----+----+
|CISCO2811| |CISCO2620|
| VPN SEC | | NON VPN |
+----+----+ +----+----+
fa0/1 \ 1.2.4.1/24 /
(1) \ / (2)
\ /
I N T E R N E T
/
/
\ (3)
\ 1.2.5.1/24
+----+---+
|CISCO836|
+---+----+
| REMOTE BRANCH
-------+-------
|
+- -+- -+
|Branch |
| Cloud |
+- - - -+
05-10-2005 11:43 AM
Peter
Yes indeed it is possible to bind IPSec to a particular IP address. I have done a lot of IPSec VPN for a customer where we use the command:
crypto map gremap local-address FastEthernet0/0
You could just as easily specify loopback 0 as we have FastEthernet0/0.
I am not sure that I understand your comment about not being able to configure multiple peers in a crypto map. I do it frequently. But maybe it is not so important in this question since your real focus is on specifying the address.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide