Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2111
Views
0
Helpful
8
Replies

Router VPN VTI Configuration adding a third site/router

Go to solution
networkwise
Level 1
Level 1

‎11-26-2015 10:18 AM

Hi,

I currently have two cisco routers configured with a connection to a primary WAN inerface and a connection to an Internet interace. I have a VPN configured using a VTI interface as a secondary path if the primary WAN circuit goes down. Im also using OSPF as a dynamic routing protocol. Failover is working and routes are being exchanged. The question I have is if I want to bring a third router into this configuration do I just add another tunnel interface with the appropiate Public tunnel source and destination IP's and new private IP addresses for a new tunnel network.
The current VTI configuration is below:

Any guidance would be appreciated.

Thanks 

Andy

Router1_Configurtation_VTI

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key Cisco12345 address 0.0.0.0 0.0.0.0

crypto IPsec transform-set T1 esp-3des esp-sha-hmac

crypto IPsec profile P1

set transform-set T1

!

interface Tunnel0

ip address 10.0.1.1 255.255.255.0

ip ospf mtu-ignore

load-interval 30

tunnel source 1.1.1.1******Public Internet Source

tunnel destination 2.2.2.1*******Public Internet Destination

tunnel mode IPsec ipv4

tunnel protection IPsec profile P1

!

Router2_Configuration_VTI

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key Cisco12345 address 0.0.0.0 0.0.0.0

crypto IPsec transform-set T1 esp-3des esp-sha-hmac

crypto IPsec profile P1

set transform-set T1

!

interface Tunnel0

ip address 10.0.1.2 255.255.255.0

ip ospf mtu-ignore

load-interval 30

tunnel source 2.2.2.1 ******Public Internet Source

tunnel destination 1.1.1.1******Public Internet Destination

tunnel mode IPsec ipv4

tunnel protection IPsec profile P1

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Richard Bradfield

‎11-28-2015 09:24 AM

Since this config is configuring ISAKMP keys using address 0.0.0.0 0.0.0.0 there is no requirement for a new crypto isakmp key with the new site address. Just configure the VTI on the new router and on one or both of the existing routers.

One aspect of this implementation which the original poster should consider is how they want data to flow when the third router is implemented. With two routers you just have a simple point to point connection. When you introduce the third router do you want one of the routers to act as hub? In this situation the hub router has tunnels to each of the remote spokes. Each remote spoke has a tunnel to the hub. Spoke to spoke communication is possible but will have to go to the hub and then out to the other remote. The other option is a mesh configuration where each router has VTI tunnel to each other router.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to networkwise

‎11-29-2015 05:30 PM

Andy

If you have already configured OSPF as the routing protocol for the sites then that is good and should work for the VTI tunnels. If you have /30 IP addresses assigned as the tunnel IP addresses and have OSPF network statements that match these addresses it is good. What is not good is to have OSPF advertise the tunnel destination address.

To help make it clear let us clarify a little terminology. A tunnel has a tunnel IP address. For R1 the tunnel IP address is 10.0.1.1 and there should be an OSPF network statement that includes this address. A tunnel also has a tunnel destination address (similar name but quite different function) and for R1 the tunnel destination address is 2.2.2.1. This is the address that should not be advertised in OSPF.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Richard Bradfield
Level 6
Level 6

‎11-26-2015 09:54 PM

there will be no problem, just need another crypto isakmp key with the new Site public Ip address

I assume you have static public IP addresses for your sites. and configure a new tunnel interface.

0 Helpful

Go to solution
networkwise
Level 1
Level 1
In response to Richard Bradfield

‎11-28-2015 09:17 AM

Hello Richard,

Thanks for your input..

Andy

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Richard Bradfield

‎11-28-2015 09:24 AM

Since this config is configuring ISAKMP keys using address 0.0.0.0 0.0.0.0 there is no requirement for a new crypto isakmp key with the new site address. Just configure the VTI on the new router and on one or both of the existing routers.

One aspect of this implementation which the original poster should consider is how they want data to flow when the third router is implemented. With two routers you just have a simple point to point connection. When you introduce the third router do you want one of the routers to act as hub? In this situation the hub router has tunnels to each of the remote spokes. Each remote spoke has a tunnel to the hub. Spoke to spoke communication is possible but will have to go to the hub and then out to the other remote. The other option is a mesh configuration where each router has VTI tunnel to each other router.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
networkwise
Level 1
Level 1
In response to Richard Burts

‎11-28-2015 09:24 AM

Hello Richard,

Thanks for the guidance. I think I'll be configuring a full mesh, no hub. So on each router Id create two tunnels, Tunnel0 and Tunnel1. Router 1 would have Tunnel0 going to Router2 and Tunnel1 going to Router 3, is that correct?

Thanks Richard,

Andy

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to networkwise

‎11-28-2015 02:34 PM

Andy

Yes when you have 3 routers each router will have 2 tunnels, one tunnel to each of the peer routers. You would set up routing logic so that router 1 knows to get to addresses on router 2 via tunnel 0 and get to addresses on router 3 via tunnel 1. The each way to accomplish that is to run a dynamic routing protocol and have the routing protocol run over the tunnels. The main thing to watch out for in that environment is that you do not want the dynamic routing protocol to advertise the tunnel destination address as reachable through the tunnel.

I am glad that my suggestion was helpful. Thank you for using the rating system to mark this question as answered. This will help other readers in the forum to identify discussions that have helpful information.

HTH

Rick 

HTH

Rick
0 Helpful

Go to solution
networkwise
Level 1
Level 1
In response to Richard Burts

‎11-29-2015 09:06 AM

Hi Rick,

I do have OSPF configured as the routing protocol between the sites. Your comment "The main thing to watch out for in that environment is that you do not want the dynamic routing protocol to advertise the tunnel destination address as reachable through the tunnel"

Im using /30's for the tunnel network between the sites. Under the OSPF statements I do have a network statement for the tunnel network, I was thinking I'd need this so the routers would form an OSPF adjacency. Are you saying that I should not have this network advertised in OSPF ? As it can cause a problem. Thanks for the guidance Rick.

Andy

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to networkwise

‎11-29-2015 05:30 PM

Andy

If you have already configured OSPF as the routing protocol for the sites then that is good and should work for the VTI tunnels. If you have /30 IP addresses assigned as the tunnel IP addresses and have OSPF network statements that match these addresses it is good. What is not good is to have OSPF advertise the tunnel destination address.

To help make it clear let us clarify a little terminology. A tunnel has a tunnel IP address. For R1 the tunnel IP address is 10.0.1.1 and there should be an OSPF network statement that includes this address. A tunnel also has a tunnel destination address (similar name but quite different function) and for R1 the tunnel destination address is 2.2.2.1. This is the address that should not be advertised in OSPF.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
networkwise
Level 1
Level 1
In response to Richard Burts

‎11-30-2015 08:03 AM

Got it makes sense. Thanks for the explanation.

Andy

0 Helpful
Customers Also Viewed These Support Documents