Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
378
Views
4
Helpful
1
Replies

Site to Site IPsec without re-establish a new tunnel

Go to solution
alan-zhan
Level 1
Level 1

‎06-19-2016 07:30 AM - edited ‎02-21-2020 08:51 PM

Hello, I have a question about S2S IPSec.

[[{"type":"media","fid":"1311346","view_mode":"default","link_text":null,"attributes":{"alt":"Topology","title":"Topology","height":"383","width":"488","class":"image-style-none media-element file-default"}}]]

In this topoloy, I would like IPSec S2S between 172.21.0.0/24 and 172.22.0.0/24.

The Serial line is the first priority and route over ISP is the second priority for routing.

The question is how can I create the Site to Site IPsec connection without re-establish when the routing path change?

AR's configuration:

!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname AR
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
username BR password 0 cisco
!
!
license udi pid CISCO2901/K9 sn FTX1524YO05
license boot module c2900 technology-package securityk9
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key cisco address 10.0.0.2
crypto isakmp key cisco address 200.200.200.2
!
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 10.0.0.2
set peer 200.200.200.2
set transform-set TS
match address vpn
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 100.100.100.2 255.255.255.252
duplex auto
speed auto
crypto map CMAP
!
interface GigabitEthernet0/1
ip address 172.21.0.254 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.0.0.1 255.255.255.252
encapsulation ppp
ppp authentication chap
clock rate 2000000
crypto map CMAP
!
interface Serial0/0/1
no ip address
clock rate 2000000
shutdown
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 10.0.0.0 0.0.0.3 area 0
network 172.21.0.0 0.0.0.255 area 0
!
router rip
version 2
network 100.0.0.0
network 172.21.0.0
no auto-summary
!
ip classless
!
ip flow-export version 9
!
!
ip access-list extended vpn
permit ip 172.21.0.0 0.0.0.255 172.22.0.0 0.0.0.255
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end

BR's configuration:

!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname BR
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
username AR password 0 cisco
!
!
license udi pid CISCO2901/K9 sn FTX1524L63A
license boot module c2900 technology-package securityk9
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key cisco address 10.0.0.1
crypto isakmp key cisco address 100.100.100.2
!
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 10.0.0.1
set peer 100.100.100.2
set transform-set TS
match address vpn
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 200.200.200.2 255.255.255.252
duplex auto
speed auto
crypto map CMAP
!
interface GigabitEthernet0/1
ip address 172.22.0.254 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.0.0.2 255.255.255.252
encapsulation ppp
ppp authentication chap
crypto map CMAP
!
interface Serial0/0/1
no ip address
clock rate 2000000
shutdown
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 10.0.0.0 0.0.0.3 area 0
network 172.22.0.0 0.0.0.255 area 0
!
router rip
version 2
network 172.22.0.0
network 200.200.200.0
no auto-summary
!
ip classless
!
ip flow-export version 9
!
!
ip access-list extended vpn
permit ip 172.22.0.0 0.0.0.255 172.21.0.0 0.0.0.255
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end

Thank you very much !

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎06-19-2016 01:05 PM

Although you could go down that path, I wouldn't.

I would use VTI interfaces (GRE tunnels that run over IPSec).  One over the Serial circuit and one over the ISP circuit.

You could then either use GRE keepalives to detect which tunnels are up and use static routes, or a dynamic routing protocol like EIGRP (put a higher "bandwidth" value with the "bandwidth" command on the preferred tunnel).

View solution in original post

1 Reply 1

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎06-19-2016 01:05 PM

Although you could go down that path, I wouldn't.

I would use VTI interfaces (GRE tunnels that run over IPSec).  One over the Serial circuit and one over the ISP circuit.

You could then either use GRE keepalives to detect which tunnels are up and use static routes, or a dynamic routing protocol like EIGRP (put a higher "bandwidth" value with the "bandwidth" command on the preferred tunnel).

Customers Also Viewed These Support Documents