Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
525
Views
0
Helpful
2
Replies

Redudant VPN configuration

ewilliamson4922
Level 1
Level 1

‎06-23-2016 04:30 PM

Ok guys so I have a theory question. Consider the configuration below.

What if 2.2.2.2 sets up the VPN first, then 1.1.1.1 comes online. What happens when the 1.1.1.1 tries to setup the tunnel. Assume the remote end is configured correctly.


object-group network VPN-LOCAL-200
  network-object 192.168.100.0 255.255.255.0
 
object-group network VPN-REMOTE-200
network-object 192.168.101.0 255.255.255.0
 
access-list 200 permit ip object-group VPN-LOCAL-200 object-group VPN-REMOTE-200
nat (any,outside) source static VPN-LOCAL-200 VPN-LOCAL-200 destination static VPN-REMOTE-200 VPN-REMOTE-200
 
crypto map VPNMAP 200 match address 200
crypto map VPNMAP 200 set peer 1.1.1.1 2.2.2.2
crypto map VPNMAP 200 set transform-set AES-SHA
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto ikev1 enable outside
 
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
  ikev1 pre-shared-key Random

tunnel-group 2.2.2.2type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
  ikev1 pre-shared-key Random

Labels:
0 Helpful
2 Replies 2

Richard Bradfield
Level 6
Level 6

‎06-24-2016 12:50 AM

I think the second tunnel will be created, I assume 1.1.1.1 and 2.2.2.2 are from the same site, then perhaps share the routing/traffic, or might be a routing problem!

0 Helpful

ewilliamson4922
Level 1
Level 1
In response to Richard Bradfield

‎06-24-2016 11:26 AM

I actually created this scenario,

The tunnels will fight for control and keep tearing each other down.

0 Helpful
Customers Also Viewed These Support Documents