cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
293
Views
2
Helpful
5
Replies

VPN IKEv2 Flapping between 2 IP Addresses

giorgio ghezzi
Level 1
Level 1

Hi guys,

I need to configure 2 Ikev2 VPN from my router (ISR4410) to 2 different Fortigate of same customer . In the nutshell these 2 VPN will be the back of each other.

The problem is that when I configure both VPN in the same Profiles and Crypto map. the VPN flapping. (If I configure only one VPN ,there is no problem of stability)

Below My configuration:
------------Define IKEv2 Keyring----------------
crypto ikev2 keyring Customer_IKEv2
peer TURIN
address 1.1.1.1
pre-shared-key Password123
!
peer MILAN
address 2.2.2.2
pre-shared-key Password123

--------Define IKEv2 Policies----------------

crypto ikev2 policy Customer_IKEv2
proposal Customer_IKEv2
match fvrf INTERNET
exit

--------Define Crypto ACL to identify IPSec secured traffic----------------

ip access-list extended Customer_IKEv2
permit ip 192.168.10.0 0.0.0.7 172.16.10.0 0.0.0.255
exit

--------Define Transform Sets----------------

crypto ipsec transform-set Customer_IKEv2 esp-aes 256 esp-sha512-hmac
mode tunnel

--------Define IKEv2 Profiles----------------

crypto ikev2 profile Customer_IKEv2
match fvrf INTERNET
match identity remote address 1.1.1.1 255.255.255.255
identity local address 4.4.4.4 --> MY Public IP
authentication remote pre-share
authentication local pre-share
keyring local Customer_IKEv2
lifetime 3600
ivrf TARGA-M2M-NG16

--------Define Crypto Maps----------------

crypto map VPN_TRAFFIC 30 ipsec-isakmp
set peer 1.1.1.1
set peer 2.2.2.2
set transform-set Customer_IKEv2
set ikev2-profile Customer_IKEv2
match address Customer_IKEv2

--------Define route for Targa LOOPBACK_Targa----------------

ip route vrf Customer 172.16.10.0 255.255.255.0 GigabitEthernet0/0/2 10.10.10.10 --Internal IP -> it's natted by IPS

Bye

Giorgio

1 Accepted Solution
5 Replies 5

there are many issue in config 
the mainly issue is VRF 
we can solve 99% of issue if you confirm we can use tunnel not crypto map 

can you confirm we can use SVTI ?

MHM

@giorgio ghezzi if your Cisco router is configured to 2 independant remote Fortigate firewalls and interesting traffic is initated from the remote side and routed via those Fortigate firewalls, they will both attempt to establish a VPN tunnel to your router.

You could configure the remote fortigate devices to answer only/responder only, therefore the tunnel is established from your router to 1.1.1.1, if that fails only then will it failover and establish a tunnel to 2.2.2.2. Or you configure the router to initate the tunnel only. Or you could configure a VTI to both fortigates and use routing to prefer which tunnel to use as primary.

 

Thanks guys for you replies.

I don't use VTI becasue I'm not confident with VTI tunnel configuration . I used the  crypto map, and when I configure the single (for both IP addresses) the tunnels  Phase 1 and phase 2 are up and I'm able to ping the customer's loopback.

I missed to put here a relevant part of configuration. The router's port configuration.

interface GigabitEthernet0/0/2
description SType[OUTSIDE] Customer
ip vrf forwarding INTERNET
ip address 10.10.10.2 255.255.255.240
standby 1 ip 10.10.10.3
standby 1 priority 120
standby 1 preempt
standby 1 name VPNHA
standby 1 track 11 decrement 30
negotiation auto
crypto map VPN_TRAFFIC redundancy VPNHA

the problem was the redundancy command ,because the IP address changed from one router to other and this caused the tunnel reset. After removed this command both tunnel are up.

Can someone put a very simple VTI VPN configuration , so I can study it . Maybe I will implent next time.

Thanks a lot for your support.

Giorgio