cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1638
Views
5
Helpful
14
Replies

site to site vpn with 2 dsl lines

mateomateo1
Level 1
Level 1

Hi, I have working site to site vpn between 3 locations, now I want to add extra line (dsl) in 2 sites to loadbalance the traffic or use that lines only for web purposes, ho can I achive that?

my target network layout will look like picture below:

http://imageshack.us/photo/my-images/688/wang.png/

Here is the file created in PT 5.3.3.0019

http://www.2shared.com/file/jQh7eN0W/VPNs.html

1 Accepted Solution

Accepted Solutions

I am glad to help.

If you want to use DSL 2 for Internet only, the you add a default route pointing to the DSL 2's next-hop and add a static route for 80.0.0.1/32 and 192.168.10.0/24 pointing to the DSL 1 next-hop, so this traffic will be sent to the DSL 1 interface where the crypto map is, other traffic will be sent to the DSL 2 line.

Please  let me know.

Thanks.

View solution in original post

14 Replies 14

Hi Matt,

You cannot load balance the L2L tunnels, you will have to pick up one of the lines, add a static route for the remote VPN peer and point to its next hop (Default-gateway). Then you can have a default route pointing to the default-gateway of the other interface.

Please let me know if this makes sense to you.

Thanks.

Thanks for reply,

Javier - by saying default gateway for the other line (another dsl line), you mean set another like static route .... .... to point to other interface? I do not know how to resolve that..., will be working on it but if you know how can I go about it pls let me know or give me some directions.

Jeff Van Houten
Level 5
Level 5

If one of the sites has a fixed ip address you could create a DMVPN between the 3 locations. You could then run éigrp routing protocol which will load balance multiple links.

Sent from Cisco Technical Support iPad App

Thanks for reply Jeff,

The two sites have 2 static for each line but 3rd site will have draytek on it so I cannot do dmvpn but that would be ideal solution.

Dear Matt,

I agree with Jeff, DMVPN would help you in this scenario.

Another option is to use VTI or GRE/IPsec... but I am not sure of what "Draytek" means, could you please clarify?

Thanks in advance.

Javier - Draytek vigor 2820 router - it will support only standard ipsec tunnel without gre

Matt,

I think you might try with this one, assuming that both links are managed by the same ISP:

1- Take one of the public IP addresses and use the following command:

     crypto map cisco local-address dsl_1

2- Apply the same crypto map on both DSL links and add a static route on both (so load-balance would occur).

3- Have the remote peer point to the IP address defined in the local-address command.

4- Make sure the ISP performs load-balacing on the edge links, so we use both links to send the traffic and the ISP uses the same ones for the return traffic.

5- By doing this, only one SA is created, which is one from the local-address to the remote IP.

For instance:

crypto map cisco local-address dsl_1

!

interface dsl_1

ip address 1.1.1.1 255.255.255.252

crypto map cisco

!

interface dsl_2

ip address 1.1.1.5 255.255.255.252

crypto map cisco

!

ip route 192.168.1.0 255.255.255.0 1.1.1.2

ip route 192.168.1.0 255.255.255.0 1.1.1.6

* Where 192.168.1.0/24 is the remote VPN network.

On the remote peer:

crypto map cisco 10

set peer 1.1.1.1

!

Let me know if you have any questions.

Thanks.

* Please do not forget to rate the posts.

Thank you Javier for giving me help.

I have two dsl lines from the same provider, but I do not know if they are loadbalanced lines, probably not. I am actualy trying to figure out what would be in situation where dsl2 was only for internet (browsing websites) use and dsl1 for vpn use. can this be achivable?

also what is the difference between

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

and

crypto isakmp key cisco address 80.0.0.25

packet tracer is not working with second one for some reasons.

Here is my current config from HQ site:

Building configuration...

Current configuration : 1205 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!

crypto isakmp policy 1
authentication pre-share
!
crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set myset esp-aes esp-sha-hmac

!

crypto map myvpn 10 ipsec-isakmp

set peer 80.0.0.1

set transform-set myset

match address 101

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

interface FastEthernet0/0

ip address 81.0.0.1 255.255.255.0

ip nat outside

duplex auto

speed auto

crypto map myvpn

!

interface FastEthernet0/1

ip address 192.168.100.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet1/0

ip address 83.0.0.1 255.255.255.0

ip nat outside

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

ip nat inside source list 175 interface FastEthernet0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 81.0.0.2

access-list 175 deny ip 192.168.100.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 175 permit ip 192.168.100.0 0.0.0.255 any

access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.10.0 0.0.0.255

!

I am glad to help.

If you want to use DSL 2 for Internet only, the you add a default route pointing to the DSL 2's next-hop and add a static route for 80.0.0.1/32 and 192.168.10.0/24 pointing to the DSL 1 next-hop, so this traffic will be sent to the DSL 1 interface where the crypto map is, other traffic will be sent to the DSL 2 line.

Please  let me know.

Thanks.

by default route you mean 0.0.0.0 0.0.0.0 83.0.0.2 ?

Correct.

Works like charm Javier now, can I also briefly confirm with you my full config, I am little bit concerned especialy about nat configuration because its not working for me in PT

I am glad to hear that.

What exactly is not working regarding NAT?

Hope to hear from you soon.

Hi Javier, 2 dsl lines were working as expected after your "intervension" , now I have decided to do 1 dsl line with natting..., I have done and tested config under GNS3.

VPNs are pinging each other, can you take a look and tell me if nating and pppoe is done correctly as I can't test pppoe under GNS3, if all is ok then all I have to do is to do some firewall, whoud you recommend to CBAC?

PPPOE part was done under cisco configuration professional.

here is my topology:

http://imageshack.us/photo/my-images/135/topology.png/

here is my config from HQ:

Current configuration : 5692 bytes
!
! Last configuration change at 15:00:33 UTC Mon Apr 16 2012 by admin
! NVRAM config last updated at 11:35:12 UTC Mon Apr 16 2012 by cisco
! NVRAM config last updated at 11:35:12 UTC Mon Apr 16 2012 by cisco
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Omagh
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3071248423
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3071248423
revocation-check none
rsakeypair TP-self-signed-3071248423
!
!
crypto pki certificate chain TP-self-signed-3071248423
certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33303731 32343834 3233301E 170D3132 30333035 30383330
  33325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30373132
  34383432 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100D80D 553F2573 C2055CFF CD11C3C1 454A0540 12615473 441C4084 F350EF90
  4CE1A9B1 6620D631 781DCAFF A7E48B6A 0E0BC1B2 C08697EE 9323DE7C 44CA1513
  50BA3ADB CD80DCFE C9CAE592 3D871C16 12D5CAF4 71703918 72180350 EFB79B88
  5836E6E2 BF137B21 BF063518 54526127 DDD5FC6B A89A151D 2FD17FC7 7478C941
  BE5B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 140ECB6F 050AC522 3E7D718D DABD159B C952A6E2 B4301D06
  03551D0E 04160414 0ECB6F05 0AC5223E 7D718DDA BD159BC9 52A6E2B4 300D0609
  2A864886 F70D0101 05050003 8181007D A6480927 054B59FD 423E8642 83C7581F
  F36F4FD3 D1D5F821 6CB23C0A DDC7E0BE 2B84FB50 380FA4A3 DF325C16 D39B5E2A
  0D89F357 9E7D53C5 8DB9D0A9 3C74179F 3DBE1CB5 9FA480A0 83DACEA9 734B0DCD
  FD6DF66A 1103980E 6F224AD2 06B46A4A B24D2315 A5FF9970 598DB0CE 7C7F07CE
  CA558758 6D3FE236 4DB33EB3 C378C5
        quit
license udi pid CISCO2911/K9 sn FCZ1610701S
!
!
username admin privilege 15 secret 5 $1$fKQC$hb.iQ8SKnc3IRUxyKvAPI1
!
redundancy
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 81.0.0.1
crypto isakmp key cisco address 84.0.0.1
!
!
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 81.0.0.1
set transform-set esp-aes-sha
match address 101
crypto map vpn 20 ipsec-isakmp
set peer 84.0.0.1
set transform-set esp-aes-sha
match address 102
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ETH-WAN$
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
duplex auto
speed auto
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxx
ppp chap password 0 yyyyyyyy6
ppp pap sent-username xxxxxxxxx password 0 yyyyyyyy
crypto map vpn
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map POLICY-NAT interface Dialer0 overload
!
ip nat inside source static tcp 192.168.10.2 3389 82.0.0.1 3389 route-map POLICY-NAT extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
!
ip access-list extended NAT
deny   ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any
!
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
route-map POLICY-NAT permit 10
match ip address NAT


access-list 1 permit 192.168.10.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
!
control-plane
!
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end

and site 1:

Site_1#sh run
Building configuration...

Current configuration : 1568 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Site_1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
  hidekeys
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 82.0.0.1
!
!
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 82.0.0.1
set transform-set esp-aes-sha
match address 101
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 81.0.0.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 81.0.0.2
no ip http server
no ip http secure-server
!
!
ip nat inside source list 120 interface FastEthernet0/1 overload
!
access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
end