Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4769
Views
0
Helpful
4
Replies

VPN problem with crypto map redundancy

ttw-ict-lej
Level 1
Level 1

‎10-29-2010 02:38 AM

Hello,

I can successfully start up a vpn connection with non redundancy crypto map on interface.


If I change interface crypto map setting from "crypto map VPNs" to "crypto map VPNs redundancy EXT-VIP" the phase 2 of VPN tunnel can't be established anymore.

debug crypto shows following messages:
CEST: IPSEC(ipsec_process_proposal): invalid local address 200.200.200.200

IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 192.168.252.20, remote= 100.100.100.100,

Seems that the reason for this problem is that ipsec communication will use HSRP VIP 192.168.252.20 and not not loopback0 address which should be used because of crypto map VPNs local-address Loopback0.

System Information:

Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M3, RELEASE SOFTWARE (fc2)


The configuration looks as follows:

crypto map VPNs local-address Loopback0
crypto map VPNs 1 ipsec-isakmp
description VPN-Tunnel-01
set peer 100.100.100.100
set security-association idle-time 3600
set transform-set ESP-3DES-MD5
match address VPN-01

interface Loopback0
ip address 200.200.200.200 255.255.255.255


interface GigabitEthernet0/0
  ip address 192.168.252.21 255.255.255.224
ip access-group debug_ext in
ip access-group debug_ext out
duplex auto
speed auto
standby 2 ip 192.168.252.20
standby 2 priority 150
standby 2 preempt
standby 2 name EXT-VIP
standby 2 track 1 decrement 110
standby 2 track 2 decrement 110
crypto map  VPNs redundancy EXT-VIP
crypto map  VPNs

Hopefully I will find a solution here.

Thanks & Regards,

André

Labels:
0 Helpful
4 Replies 4

Yudong Wu
Level 7
Level 7

‎10-29-2010 09:11 AM

You have to use HSRP IP for VPN tunnel endpoint IP if you would like to implement this redundancy. That is how the redundancy works.

Just remove the "crypto map VPNs local-address Loopback0" and reconfigure the remote end to point to HSRP IP.

0 Helpful

ttw-ict-lej
Level 1
Level 1
In response to Yudong Wu

‎11-01-2010 12:39 AM

Hi,

thank you for the reply.

Is it possible to use address translation on VIP to loopback address to get this working.

I have not enough space in address range of VPN peer address to use this for HSRP.

Regards,

André

0 Helpful

Yudong Wu
Level 7
Level 7
In response to ttw-ict-lej

‎11-01-2010 08:20 AM

You can use NAT. I am not sure how your setup is. But I think you might have to do the NAT on the device in front of this two HSRP routers.

0 Helpful

Ale_009
Level 1
Level 1

‎11-02-2017 06:10 PM

Hi ttw-ict-lej!

 

I found a possible solution to the problem. When check the crypto sessions, i can see the desired IP address and the session is UP-ACTIVE. I haven't tested triggering the failover.

 

You can do the next modifications to the configuration:

 

! Remove crypto map local-address

! Only works to use the same IP address in different physical interfaces without redundancy

no crypto map VPNs local-address Loopback0
crypto map VPNs 1 ipsec-isakmp
description VPN-Tunnel-01
set peer 100.100.100.100
set security-association idle-time 3600
set transform-set ESP-3DES-MD5
match address VPN-01

 

! No need to use this interface anymore

no interface Loopback0
! ip address 200.200.200.200 255.255.255.255


interface GigabitEthernet0/0
  ip address 192.168.252.21 255.255.255.224

! Add the network containing the desired IP to the interface

 ip address 200.200.200.201 255.255.255.248 secondary
ip access-group debug_ext in
ip access-group debug_ext out
duplex auto
speed auto
standby 2 ip 192.168.252.20
standby 2 priority 150
standby 2 preempt
standby 2 name EXT-VIP
standby 2 track 1 decrement 110
standby 2 track 2 decrement 110

! Create a secondary HSRP group to asign the desired IP.

standby 3 ip 200.200.200.200

! Use the keyword follow to keep track to the master HSRP group

standby 3 follow EXT-VIP

! Give it a name

standby 3 name EXT-VIP-TO-CMAP

! And finally asing this new name to the redundancy in the crypto map command
crypto map  VPNs redundancy EXT-VIP-TO-CMAP
crypto map  VPNs

 

I'm using IOS Version 15.4(3)M8

And the details of standby follow command are here:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/command/fhp-cr-book/fhp-s2.html#wp6905113930

 

Details of crypto map local-address command are here:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-c4.html#wp1755574933

 

I hope this help to resolve the problem.

 

Regards.

 

 

0 Helpful
Customers Also Viewed These Support Documents