Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1254
Views
0
Helpful
4
Replies

Parallel IPSec tunnels to one remote ip address

rplenter
Level 1
Level 1

‎03-18-2010 01:49 PM - edited ‎02-21-2020 04:33 PM

I have a 2821 with 2 dsl links and a main WAN link. I am off-loading non-prio traffic over a ipsec tunnel to our data center (via Policy Based routing) Prio traffic is routed over the MPLS network.

Now I want to use the seconf dsl link aswell. But is there a way to setup a ipsec tunnel over the second dsl link to the same remote gateway (the same ip address I used for the first dsl link)?

I can't find anything on this.

Labels:
0 Helpful
4 Replies 4

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎03-18-2010 01:56 PM

Hi,

On the 2821, just configure the two VPN peers under the crypto map (the first one will take precedence).

crypto map TEST 10 set peer 1.1.1.1 2.2.2.2

The 2821 will attempt to establish the tunnel to 1.1.1.1 and if not receiving a response will try 2.2.2.2

The other side of the tunnel, should have the routing correctly to route traffic either way.

Federico.

0 Helpful

rplenter
Level 1
Level 1
In response to Federico Coto Fajardo

‎03-18-2010 02:21 PM

they indeed need to work at the same time

I will try this vrf option (although I have little vrf experience :-).

0 Helpful

jan.nielsen
Level 7
Level 7

‎03-18-2010 02:09 PM

If you need them both to work at the same time towards the same peer address in the other end, you can use a fvrf to assign a default route that points out that dsl interface, and then use that vrf in your ipsec profile.

so something like this :

ip vrf dsl
!

interface dsl-something-or-other

ip forwarding vrf dsl

!

ip route vrf dsl 0.0.0.0 0.0.0.0 x.x.x.x

!

crypto keyring test vrf dsl
  pre-shared-key address x.x.x.x x.x.x.x key xxxx

!

crypto isakmp profile test
   keyring test
   match identity address x.x.x.x 255.255.255.255 dsl

!

crypto ipsec transform-set test esp-aes 256 esp-sha-hmac
!
crypto ipsec profile test
set transform-set test
set isakmp-profile test
!

interface tunnelx
tunnel vrf dsl
tunnel protection ipsec profile test

This should make a new tunnel interface, so you will probably need either a new dmvpn on the hub as well, or you could try the same dmvpn config, just with another GRE address, not sure if that will work. But the config will allow you to have both your regular dmvpn and one using the dsl, by seperating the routing table into a global that handles your regular dmvpn and the dsl one that handles the dmvpn over dsl.

0 Helpful

rplenter
Level 1
Level 1
In response to jan.nielsen

‎03-18-2010 02:24 PM

Hmm, I replied to the wrong

message.

See my reply on previous message :-)

0 Helpful
Customers Also Viewed These Support Documents