Software VPN Encryption Tunnel

bjayaraman · ‎09-21-2004

Physical Connectivity:

a> Site1-->Site2-->Site3

b> Site4-->Site5-->Site6

c> Site2-->Site5

d>Site3 & Site6 are internally connected on the same cloud.

S/w encryption has been enabled on Site1,Site3 & Site6. There are 2 tunnels. Primary is Site1---Site3.

By default packets will use this tunnel.The secondary tunnel is between Site1-->Site6. In case the link between Site2-->Site3 fails, data needs to be routed through secondary tunnel.

Problem :

1> The "Sh crypto isakmp sa" shows both SA's (for Primary and Secondary). And they show the status "deleted" alternatively, in a continous fashion. Sometimes in normal scenario, the packet takes the secondary tunnel, which is unwanted. It should go through this only when Site2-->Site3 link goes down.

2> When the link Site2-->Site3 fails, the secondary tunnel doesn't get estabilished automatically. I check using :Sh crypto ipsec . When i clear the primary tunnel using "Clear crypto isakmp sa" & "Clear Crypto sa", then only the secondary tunnel gets created and data routed, else not. I wnat that to happen automatically.

drolemc · ‎09-28-2004

With reference to your second problem, this behavior might be seen if the SA gets deleted on one end while the other knows nothing about it and continues to pump data as if the other end is up. To make detection of a dead remote peer fater, use dead peer detection. For more information, please see http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801ee19a.html