Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3152
Views
0
Helpful
3
Replies

Multiple peers Crypto Map Issue

CyberEdge
Level 1
Level 1

‎09-27-2018 06:26 AM - edited ‎09-27-2018 06:28 AM

Hi Everyone,

 

I run to an issue with GRE over IPSec, Same GRE tunnel configuration on (Prod & DR stite) different IPSec peers

 

we are not using the tunnel source as IPsec peer, the customer configure 2 crypto map entries for our 2 peers, the IPsec to our Prod site worked successfully, when i shutdown the Tunnel at Prod site, and unshut the tunnel at the DR site, IPsec not formed and Tunnel is up down. i tired to clear P1 P2 session, but to worked

 

Note: P1 is up to our IPSec peers, it should be UP for 1 peer only.

for customer perspective he sees us as one site.

 

crypto map MAP_A 10 ipsec-isakmp
set peer 10.10.10.253
set transform-set Sky_TS
match address Sky_ACL
 !
crypto map MAP_B 15 ipsec-isakmp
set peer 10.10.10.254
set transform-set Sky_TS
match address Sky_ACL
!

 

But with below configs, (multiple peers in the same crypto map),  i switched back and forth the IPSEC worked, any idea?

crypto map MAP_A 10 ipsec-isakmp
set peer 10.10.10.253
set peer 10.10.10.254
set transform-set Sky_TS
match address Sky_ACL

 

IPSec.png

Labels:
0 Helpful
3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

‎09-28-2018 11:03 AM

Do you have different GRE tunnel interfaces for prod and DR tunnels? If that is the case, the ACL "Sky_ACL" should be different on the crypto map. Since you have the same ACL configured, the router will only try to establish a IPsec tunnel to the first peer (first match rule). You should ideally have 2 different and unique ACL's (plus add some dynamic routing) if you want to achieve failover. 

0 Helpful

CyberEdge
Level 1
Level 1
In response to Rahul Govindan

‎09-29-2018 04:08 AM

Hi Rahul

 

we have identical configs on both sites but different IPsec Peers, from the customer perspective he sees us as one site, i was wondering why this configs works:

 

2 peers in one crypto map

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to CyberEdge

‎10-01-2018 03:51 AM - edited ‎10-01-2018 04:01 AM

2 Peers would work because you have only 1 crypto map entry, hence the traffic can only match that crypto map entry. When you have 2 crypto map entries, it matches crypto entries one by one. So it will always match sequence 1. As mentioned before, if you want to build 2 separate tunnels, keep the crypto ACL's unique so that it not conflict with each other. 

 

Since you are using GRE tunnels, you can have 2 different tunnel interfaces where the tunnel source and destination combination is unique. For example:

 

int Tunnel1

tunnel source <ISP interface>

tunnel destination 10.10.10.253

 

int Tunnel 2

tunnel source <ISP interface>

tunnel destination 10.10.10.254

 

access-list Sky_ACL1 permit gre <isp interface> 10.10.10.253

access-list Sky_ACL2 permit gre <isp interface> 10.10.10.254

 

crypto map MAP_A 10 ipsec-isakmp 
set peer 10.10.10.253
set transform-set Sky_TS 
match address Sky_ACL1
 !
crypto map MAP_B 15 ipsec-isakmp 
set peer 10.10.10.254
set transform-set Sky_TS 
match address Sky_ACL2

 

You can then send routing protocol through Tunnel 1 and 2 with the right metrics  to prefer Tunnel1 to Primary site.

0 Helpful
Customers Also Viewed These Support Documents