Solved: Re: Set Peer and DPD questions

ccraddock · ‎04-23-2018

Community,

I am migrating an IKEv2 IPSec VPN tunnel from a single peer to multiple peers. But I am not quite sure of how setting multiple peers in the crypto map works or how it pertains to Dead Peer Detection (DPD). Is DPD required for multiple "set peer" statements in the crypto map? I would like to be able to set multiple peers for failover purposes by adding Phoenix and Brown Deer to the config. Do I have to create multiple maps/policies to accomplish this? A sanitized output of my config is below. Thanks.

crypto ikev2 keyring Customer-Keyring
peer Little_Rock
address 156.x.w.245
pre-shared-key **************
peer Brown_Deer
address 156.x.y.245
pre-shared-key **************
peer Phoenix
address 156.x.z.245
pre-shared-key **************

crypto ikev2 proposal Customer-Proposal
encryption aes-cbc-128
integrity sha256
group 14

crypto ikev2 profile Customer-Little_Rock
match identity remote address 156.x.w.245 255.255.255.255

would I use another "match identity" statement here?
authentication local pre-share
authentication remote pre-share
keyring local Customer-Keyring

crypto ikev2 policy Customer-Policy
proposal Customer-Proposal

crypto ipsec transform-set Customer1 esp-sha256-hmac ah-sha256-hmac esp-aes 128

crypto map Customer1 125 ipsec-isakmp
set peer 156.x.w.245

Would I use another "set peer" statement here?
set security-association lifetime seconds 86400
set transform-set Customer1
set pfs group14
set ikev2-profile Customer-Little_Rock
match address Customer_ACL

Bogdan Nita · ‎04-24-2018

I think you got the main idea right, but you would also need to have specific acls for every customer.
Using the acls the router will now if the traffic needs to be sent over a vpn tunnel and to which vpn peer.
You may also want to have a different key for every vpn tunnel.

View solution in original post

Bogdan Nita · ‎04-24-2018

If the new sites are different from the existing ones you would need to create new crypto map entries and all that goes under the crypto map.

It there are the same sites and have a redundant connection you can have 2 peers in the crypto map entry and 2 identity remote addresses.

In both cases DPD can be used, but it is not required.

HTH

Bogdan

ccraddock · ‎04-24-2018

Bogdan,

Thanks for the reply! So I would need to create separate profiles for each site (Little Rock, Phoenix and Brown Deer) and then create separate Crypto Map entries for each profile? so like this?

crypto ikev2 profile Customer-Little_Rock
match identity remote address 156.x.w.245 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local Customer-Keyring

crypto map Customer1 125 ipsec-isakmp
set peer 156.x.w.245
set security-association lifetime seconds 86400
set transform-set Customer1-Transform
set pfs group14
set ikev2-profile Customer-Little_Rock
match address Customer_ACL

crypto ikev2 profile Customer-Phoenix
match identity remote address 156.x.y.245 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local Customer-Keyring

crypto map Customer1 130 ipsec-isakmp
set peer 156.x.y.245
set security-association lifetime seconds 86400
set transform-set Customer1-Transform
set pfs group14
set ikev2-profile Customer-Phoenix
match address Customer_ACL

crypto ikev2 profile Customer-Brown_Deer
match identity remote address 156.x.z.245 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local Customer-Keyring

crypto map Customer1 135 ipsec-isakmp
set peer 156.x.z.245
set security-association lifetime seconds 86400
set transform-set Customer1-Transform
set pfs group14
set ikev2-profile Customer-Brown_Deer
match address Customer_ACL

Bogdan Nita · ‎04-24-2018

I think you got the main idea right, but you would also need to have specific acls for every customer.
Using the acls the router will now if the traffic needs to be sent over a vpn tunnel and to which vpn peer.
You may also want to have a different key for every vpn tunnel.