06-05-2012 04:03 AM
Hello!
i've got some Problems with a Cisco 1941 running 15.2...
I've got two DSL (PPPoE Dialer) WAN-interfaces. I want the normal Internet traffic go through DSL-1 and the VPN go through DSL-2. So i set the default route through Dialer1 and the route heading to the IP of the Brach-Site (R.R.R.R) through Dialer2.
on R1: Ping R.R.R.R -> works fine
on R2: Ping Y.Y.Y.Y -> works fine
on R2: ssh Y.Y.Y.Y -> works fine
so i guess routing should work?
but the VPN wont be established:
router-wi#show cry sess
Crypto session current status
Interface: Dialer1
Session status: DOWN-NEGOTIATING
Peer: B.B.B.B port 500
IKEv1 SA: local X.X.X.X/500 remote B.B.B.B/500 Inactive
IPSEC FLOW: permit ip 172.20.100.0/255.255.255.0 172.20.110.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.100.0/255.255.255.0 192.168.40.0/255.255.255.0
Active SAs: 0, origin: crypto map
Interface: Dialer2
Session status: DOWN
Peer: B.B.B.Bport 500
IPSEC FLOW: permit ip 172.20.100.0/255.255.255.0 172.20.110.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.100.0/255.255.255.0 192.168.40.0/255.255.255.0
Active SAs: 0, origin: crypto map
Even when i remove the VPN-D1 Crypto map, no VPN can be established. Only when i shutdown the Dialer1 interface and the default Route also goes throug Dialer2 the VPN is established correctly...
R1 config:
.....
track 1 ip sla 1
delay down 5 up 2
!
track 2 ip sla 2
delay down 5 up 2
!
crypto isakmp policy 1
encr aes 256
hash sha512
authentication pre-share
!
crypto isakmp key xxxxx address R.R.R.R
crypto isakmp xauth timeout 10
!
crypto ipsec transform-set VPN_TS esp-aes 256 esp-sha512-hmac
!
crypto map VPN-D1 10 ipsec-isakmp
set peer R.R.R.R
set transform-set VPN_TS
match address VPN_1
crypto map VPN-D1 20 ipsec-isakmp
set peer R.R.R.R
set transform-set VPN_TS
match address VPN_2
!
crypto map VPN-D2 10 ipsec-isakmp
set peer R.R.R.R
set transform-set VPN_TS
match address VPN_1
crypto map VPN-D2 20 ipsec-isakmp
set peer R.R.R.R
set transform-set VPN_TS
match address VPN_2
!
interface GigabitEthernet0/0
description green
no ip address
ip virtual-reassembly in
ip tcp adjust-mss 1412
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
description Wlan (VPN_1 Network)
encapsulation dot1Q 2 native
ip address 192.168.100.2 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
description orange
no ip address
ip tcp adjust-mss 1412
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
description VPN_2 Network
encapsulation dot1Q 1 native
ip address 172.20.100.2 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip virtual-reassembly in
!
interface FastEthernet0/0/0
description -= to DSL-1 =-
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0/0/1
description -= to DSL-2 =-
no ip address
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface Dialer1
description -= DSL-1 (Vdsl) =-
ip address negotiated
ip mtu 1452
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname feste-ip7/xxx@t-online-com.de
ppp chap password 0 xxx
ppp pap sent-username feste-ip7/xxx@t-online-com.de password 0 xxx
crypto map VPN-D1
!
interface Dialer2
description -= DSL-2 (T-DSL) =-
ip address negotiated
ip mtu 1452
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname feste-ip2/xxx@t-online-com.de
ppp chap password 0 xxx
ppp pap sent-username feste-ip2/xxx@t-online-com.de password 0 xxx
crypto map VPN-D2
!
.......
!
ip dns server
ip nat inside source route-map DSL-1 interface Dialer1 overload
ip nat inside source route-map DSL-2 interface Dialer2 overload
ip route B.B.B.B 255.255.255.255 Dialer2 10 track 2
ip route 0.0.0.0 0.0.0.0 Dialer1 30 track 1
ip route 0.0.0.0 0.0.0.0 Dialer2 50 track 2
!
ip access-list extended VPN_2
permit ip 172.20.100.0 0.0.0.255 172.20.110.0 0.0.0.255
ip access-list extended VPN_1
permit ip 192.168.100.0 0.0.0.255 192.168.40.0 0.0.0.255
!
ip radius source-interface GigabitEthernet0/0.1
ip sla 1
icmp-echo X.X.X.X
tag Check DSL-1
threshold 300
timeout 500
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo Y.Y.Y.Y
tag Check DSL-2
threshold 300
timeout 500
frequency 1
ip sla schedule 2 life forever start-time now
access-list 100 remark -= NAT Route-Map DSL-1 ACL =-
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 any
access-list 101 remark -= NAT Route-Map DSL-2 ACL =-
access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
route-map DSL-2 permit 10
match ip address 101
match interface Dialer2
route-map DSL-1 permit 10
match ip address 100
match interface Dialer1
R2 config:
....
crypto map VPN 10 ipsec-isakmp
set peer Y.Y.Y.Y
set peer X.X.X.X
set transform-set VPN_TS
match address VPN_1
crypto map VPN 20 ipsec-isakmp
set peer Y.Y.Y.Y
set peer X.X.X.X
set transform-set VPN_TS
match address VPN_2
...
Solved! Go to Solution.
06-05-2012 08:13 AM
Yes you can incorporate these below routes as well into track 2, however should track 2 fails you must have a failover route to dsl1, with higher cost route of 100.
ip route 192.168.40.0 255.255.255.0 Dialer 2 track 2 name VPN-1_to_R2_via_DSL-2
ip route 172.20.110.0 255.255.255.0 Dialer 2 track 2 name VPN-2_to_R2_via_DSL-2
Hope that helps.
thanks
Rizwan Rafeek
Message was edited by: Rizwan Mohamed
06-05-2012 06:37 AM
Hi there,
"So i set the default route through Dialer1 and the route heading to the IP of the Brach-Site (R.R.R.R) through Dialer2." This is not what you have done, below.
Your "ip route 0.0.0.0 0.0.0.0 Dialer2 50" will kick in only when "Dialer1 30" goes down, so tracking is doing what it supposed to do.
If you want to keep vpn-bound traffic on the dsl2 and web-browsing traffic on the dsl1, you do not need IP-SLA to begin with.
Keep your default route any any to Dialer1 and remote-lan segement route to Dialer2 and remote-vpn peer ip address must be routed to Dialer2 as well.
Please let me know, if this helps.
thanks
Rizwan Rafeek
06-05-2012 06:44 AM
Hi,
sorry for not explaining the tracking. I want failover for both lines. if one line fails, all should failover to the other line, therefore the ip sla are there...
could you give me a correct version of the "ip route" section of my config?
have i got to ad something like "ip route 192.168.40.0 255.255.255.0 Dialer2" ?
thanks!
06-05-2012 07:51 AM
Hi there,
Please try this...
ip sla 1
icmp-echo 4.2.2.2 source-ip 172.20.100.2
tag Check DSL-1
threshold 300
timeout 20000
frequency 10
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo R2.R2.R2.R2 source-ip interface dialer2
tag Check DSL-2
threshold 300
timeout 20000
frequency 10
ip route 0.0.0.0 0.0.0.0 name default-route Dialer1 track 1
ip route 0.0.0.0 0.0.0.0 name failover-default-route Dialer2 100
ip route R2.R2.R2.R2 255.255.255.255 name primary-path-vpn Dialer2 track 2
ip route R2.R2.R2.R2 255.255.255.255 name failover-path-vpn Dialer1 100
-------------------------------
This goes on your R2.
crypto isakmp key your-shared-keys-goes-here address R1.R1.R1.R1 no-xauth <--- 1st DSL public address
crypto isakmp key your-shared-keys-goes-here address R1.R1.R1.R1 no-xauth <--- 2nd DSL public address
crypto map VPN 10 ipsec-isakmpr
set peer R1.R1.R1.R1 default
set security-association idle-time 60 default
set peer R1.R1.R1.R1 <------------------- 1st DSL public address
set transform-set VPN_TS
match address VPN_1
You only need one crypto map instance on R2 destine to R1 and your default peer address will be your dsl2 primary (default) and other is secondary dsl1 and security-association must be deleted before R2 router initiate new tunnel with R1 again, so idle-time set to 60 upon default-peer to be deleted security association.
Please let me know, if this helps.
thanks
Rizwan Rafeek
Message was edited by: Rizwan Mohamed
06-05-2012 08:03 AM
hey,
yes i got almost the same working now.. but i only reach the other side if i do this:
ip route R2.R2.R2.R2 255.255.255.255 Dialer 2 track 2 name to_R2_via_DSL-2
ip route 192.168.40.0 255.255.255.0 Dialer 2 track 2 name VPN-1_to_R2_via_DSL-2
ip route 172.20.110.0 255.255.255.0 Dialer 2 track 2 name VPN-2_to_R2_via_DSL-2
ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
ip route 0.0.0.0 0.0.0.0 Dialer2 100
do you think this is ok? I'm wondering because of the blod routes?
or do you think it's better to do this with VTIs?
06-05-2012 08:13 AM
Yes you can incorporate these below routes as well into track 2, however should track 2 fails you must have a failover route to dsl1, with higher cost route of 100.
ip route 192.168.40.0 255.255.255.0 Dialer 2 track 2 name VPN-1_to_R2_via_DSL-2
ip route 172.20.110.0 255.255.255.0 Dialer 2 track 2 name VPN-2_to_R2_via_DSL-2
Hope that helps.
thanks
Rizwan Rafeek
Message was edited by: Rizwan Mohamed
06-05-2012 08:16 AM
it will failover to the default route i guess. it seems to work now
thank you!
03-12-2014 11:58 AM
hello! This post is quite old but, actually fits 100 percent for my situation. Is there any solution without changing metrics?
I would like to keep two default routes with same admin distance...
thanks in advance!,
regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide