cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2850
Views
0
Helpful
8
Replies

Router VPN VTI Configuration adding a third site/router

networkwise
Level 1
Level 1

Hi,

I currently have two cisco routers configured with a connection to a primary WAN inerface and a connection to an Internet interace. I have a VPN configured using a VTI interface as a secondary path if the primary WAN circuit goes down. Im also using OSPF as a dynamic routing protocol. Failover is working and routes are being exchanged. The question I have is if I want to bring a third router into this configuration do I just add another tunnel interface with the appropiate Public tunnel source and destination IP's and new private IP addresses for a new tunnel network.
The current VTI configuration is below:

Any guidance would be appreciated.

Thanks 

Andy

Router1_Configurtation_VTI

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key Cisco12345 address 0.0.0.0 0.0.0.0

crypto IPsec transform-set T1 esp-3des esp-sha-hmac

crypto IPsec profile P1

set transform-set T1

!

interface Tunnel0

ip address 10.0.1.1 255.255.255.0

ip ospf mtu-ignore

load-interval 30

tunnel source 1.1.1.1******Public Internet Source

tunnel destination 2.2.2.1*******Public Internet Destination

tunnel mode IPsec ipv4

tunnel protection IPsec profile P1

!

Router2_Configuration_VTI

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key Cisco12345 address 0.0.0.0 0.0.0.0

crypto IPsec transform-set T1 esp-3des esp-sha-hmac

crypto IPsec profile P1

set transform-set T1

!

interface Tunnel0

ip address 10.0.1.2 255.255.255.0

ip ospf mtu-ignore

load-interval 30

tunnel source 2.2.2.1 ******Public Internet Source

tunnel destination 1.1.1.1******Public Internet Destination

tunnel mode IPsec ipv4

tunnel protection IPsec profile P1

2 Accepted Solutions

Accepted Solutions

Since this config is configuring ISAKMP keys using address 0.0.0.0 0.0.0.0 there is no requirement for a new crypto isakmp key with the new site address. Just configure the VTI on the new router and on one or both of the existing routers.

One aspect of this implementation which the original poster should consider is how they want data to flow when the third router is implemented. With two routers you just have a simple point to point connection. When you introduce the third router do you want one of the routers to act as hub? In this situation the hub router has tunnels to each of the remote spokes. Each remote spoke has a tunnel to the hub. Spoke to spoke communication is possible but will have to go to the hub and then out to the other remote. The other option is a mesh configuration where each router has VTI tunnel to each other router.

HTH

Rick

HTH

Rick

View solution in original post

Andy

If you have already configured OSPF as the routing protocol for the sites then that is good and should work for the VTI tunnels. If you have /30 IP addresses assigned as the tunnel IP addresses and have OSPF network statements that match these addresses it is good. What is not good is to have OSPF advertise the tunnel destination address.

To help make it clear let us clarify a little terminology. A tunnel has a tunnel IP address. For R1 the tunnel IP address is 10.0.1.1 and there should be an OSPF network statement that includes this address. A tunnel also has a tunnel destination address (similar name but quite different function) and for R1 the tunnel destination address is 2.2.2.1. This is the address that should not be advertised in OSPF.

HTH

Rick

HTH

Rick

View solution in original post

8 Replies 8

there will be no problem, just need another crypto isakmp key with the new Site public Ip address

I assume you have static public IP addresses for your sites. and configure a new tunnel interface.

Hello Richard,

Thanks for your input..

Andy

Since this config is configuring ISAKMP keys using address 0.0.0.0 0.0.0.0 there is no requirement for a new crypto isakmp key with the new site address. Just configure the VTI on the new router and on one or both of the existing routers.

One aspect of this implementation which the original poster should consider is how they want data to flow when the third router is implemented. With two routers you just have a simple point to point connection. When you introduce the third router do you want one of the routers to act as hub? In this situation the hub router has tunnels to each of the remote spokes. Each remote spoke has a tunnel to the hub. Spoke to spoke communication is possible but will have to go to the hub and then out to the other remote. The other option is a mesh configuration where each router has VTI tunnel to each other router.

HTH

Rick

HTH

Rick

Hello Richard,

Thanks for the guidance. I think I'll be configuring a full mesh, no hub. So on each router Id create two tunnels, Tunnel0 and Tunnel1. Router 1 would have Tunnel0 going to Router2 and Tunnel1 going to Router 3, is that correct?

Thanks Richard,

Andy

Andy

Yes when you have 3 routers each router will have 2 tunnels, one tunnel to each of the peer routers. You would set up routing logic so that router 1 knows to get to addresses on router 2 via tunnel 0 and get to addresses on router 3 via tunnel 1. The each way to accomplish that is to run a dynamic routing protocol and have the routing protocol run over the tunnels. The main thing to watch out for in that environment is that you do not want the dynamic routing protocol to advertise the tunnel destination address as reachable through the tunnel.

I am glad that my suggestion was helpful. Thank you for using the rating system to mark this question as answered. This will help other readers in the forum to identify discussions that have helpful information.

HTH

Rick 

HTH

Rick

Hi Rick,

I do have OSPF configured as the routing protocol between the sites. Your comment "The main thing to watch out for in that environment is that you do not want the dynamic routing protocol to advertise the tunnel destination address as reachable through the tunnel"

Im using /30's for the tunnel network between the sites. Under the OSPF statements I do have a network statement for the tunnel network, I was thinking I'd need this so the routers would form an OSPF adjacency. Are you saying that I should not have this network advertised in OSPF ? As it can cause a problem. Thanks for the guidance Rick.

Andy

Andy

If you have already configured OSPF as the routing protocol for the sites then that is good and should work for the VTI tunnels. If you have /30 IP addresses assigned as the tunnel IP addresses and have OSPF network statements that match these addresses it is good. What is not good is to have OSPF advertise the tunnel destination address.

To help make it clear let us clarify a little terminology. A tunnel has a tunnel IP address. For R1 the tunnel IP address is 10.0.1.1 and there should be an OSPF network statement that includes this address. A tunnel also has a tunnel destination address (similar name but quite different function) and for R1 the tunnel destination address is 2.2.2.1. This is the address that should not be advertised in OSPF.

HTH

Rick

HTH

Rick

Got it makes sense. Thanks for the explanation.

Andy