Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1344
Views
0
Helpful
1
Replies

Multiple L2L IPSec sources on one router

ianh
Level 1
Level 1

‎02-05-2012 02:08 AM - edited ‎02-21-2020 05:51 PM

Hi folks,

I'm trying to make a redundantish office/datacentre connection on the cheap. At the datacentre, we've got a 7301 (12.2(24)T5) and at the office we've got a Mikrotik RB1200 (5.12).

The office router has two ADSL connections to two different ISPs, the datacentre router a single GigE to a colo provider. I'm trying to build an IPSec encrypted IPIP tunnel over each ADSL service to a separate loopback interface on the datacentre router, so I can run OSPF over the top for route exchange.

I need to use two different loopbacks on the datacentre router so the office router can have a static route for each out each ISP ADSL. But I'm running into issues making encryption work on two different source addresses.

Using the 'crypto map xxx local-address Loopback12' command, I can specify the outbound interface for one of the tunnels just fine, traffic moves as expected - while the other tunnel fails to encrypt. But is there a way of having two peers use two different local addresses, or applying two crypto maps to a single physical interface?

Thanks,

- I.

-- Datacentre router config --

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 1800

crypto isakmp key xxx address B.B.B.B

crypto isakmp key xxx address A.A.A.A

!

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association idle-time 600

!

crypto ipsec transform-set vpn esp-3des esp-md5-hmac

no crypto ipsec nat-transparency udp-encaps

crypto map Crypto local-address Loopback12

crypto map Crypto 11 ipsec-isakmp

set peer A.A.A.A

set security-association lifetime kilobytes 10000000

set transform-set vpn

set pfs group2

match address Crypto_via_ISPA

crypto map Crypto 12 ipsec-isakmp

set peer B.B.B.B

set security-association lifetime kilobytes 10000000

set transform-set vpn

set pfs group2

match address Crypto_via_ISPB

interface Loopback11

description Tunnel endpoint for ISP B

ip address D.D.D.D 255.255.255.255

crypto map Crypto

!

interface Loopback12

description Tunnel endpoint for ISP A

ip address C.C.C.C 255.255.255.255

crypto map Crypto

!

interface Tunnel1

description IPSec to office via ISP B

ip address 10.0.0.2 255.255.255.254

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1400

ip ospf network point-to-point

ip ospf cost 100

tunnel source Loopback11

tunnel destination B.B.B.B

tunnel mode ipip

!

interface Tunnel2

description IPSec to office via ISP A

ip address 10.0.0.4 255.255.255.254

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1400

ip ospf network point-to-point

ip ospf cost 50

tunnel source Loopback12

tunnel destination A.A.A.A

tunnel mode ipip

interface GigabitEthernet0/0

description Colo Internet

crypto map Crypto

ip access-list extended Crypto_via_ISPA

permit ip host C.C.C.C host A.A.A.A

ip access-list extended Crypto_via_ISPB

permit ip host D.D.D.D host B.B.B.B

Labels:
0 Helpful
1 Reply 1

david.tran
Level 4
Level 4

‎02-05-2012 09:12 AM

What you're doing I don't think will work.  On the data center, you only need a single loopback interface as the VPN termination end-point.  However, this loopback must be visible over the Internet so the Microtik router can see it.

from there, the configuration is straight forward

0 Helpful
Customers Also Viewed These Support Documents