Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
552
Views
0
Helpful
4
Replies

VPN to remote site that have 2 failover link

HDBank Network
Level 1
Level 1

‎08-19-2013 02:51 AM

Dear support team,

I'm using a 1861 Router with C1861-ADVENTERPRISEK9-M IOS version to connect VPN site-to-site with DC site that have 2 VPN link for redundancy. The router can connect successfully if using crypto map with each public IP of DC site. My problem is when I add 1 more peer in crypto map and shutdown the running peer on DC site, connection between 2 site is failed while show crypto session of new peer is showing UP-ACTIVE.

Here's log show crypto session detail of new peer:

Interface: Dialer1
Uptime: 00:00:54
Session status: UP-ACTIVE     
Peer: y.y.y.y port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 10.0.35.5
      Desc: (none)
  IKE SA: local z.z.z.z/500 remote y.y.y.y/500 Active 
          Capabilities:(none) connid:2003 lifetime:00:04:05
  IPSEC FLOW: permit ip 10.2.1.0/255.255.255.0 0.0.0.0/0.0.0.0 
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 1869 drop 0 life (KB/Sec) 4408194/245
        Outbound: #pkts enc'ed 3536 drop 158 life (KB/Sec) 4408171/245
  IPSEC FLOW: permit ip 10.2.1.0/255.255.255.0 128.0.0.0/192.0.0.0 
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 4487324/272
        Outbound: #pkts enc'ed 36 drop 46 life (KB/Sec) 4487320/272

Here's configuration:

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
 lifetime 300
crypto isakmp key vpnkey address x.x.x.x
crypto isakmp key vpnkey address y.y.y.y
!         
!
crypto ipsec transform-set vpn esp-aes esp-sha-hmac 
!
crypto map test 100 ipsec-isakmp 
 set peer x.x.x.x
 set peer y.y.y.y
 set security-association lifetime seconds 300
 set transform-set vpn
 match address vpn
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 ppp authentication pap callin
 ppp pap sent-username  password 
 crypto map test

Could you please help me find solution for this problem. Thank you so much.

Labels:
0 Helpful
4 Replies 4

jawad-mukhtar
Level 4
Level 4

‎08-19-2013 03:40 AM

check your routes.

Jawad

Jawad
0 Helpful

HDBank Network
Level 1
Level 1
In response to jawad-mukhtar

‎08-19-2013 04:08 AM

Thank Jawad.

My VPN topology is used for centralized Internet connection. Here's routing configuration:

ip route 0.0.0.0 0.0.0.0 Dialer1

I've just find an strange thing. After a long time (I think it takes more 1 hour) of failed connection for new peer, it turned successfully connection for that new peer. I had waited for about 1 hour before 2 days ago with continuous ping. I configured IKE renegotiation and SA lifetime are 5 minutes.

0 Helpful

czaja0000
Level 1
Level 1

‎08-19-2013 06:35 AM

Hi,

Try this.

1. Modify the configuration of crypto map, use the "default" option for the primary link in DC.

crypto map test 100 ipsec-isakmp
set peer x.x.x.x default
set peer y.y.y.y

2. Enable DPD (Dead Peer Detection) on both routers.

crypto isakmp keepalive  [retry-seconds] [periodic | on-demand]

Link: IPsec Dead Peer Detection

________________

Best regards,
MB

________________ Best regards, MB
0 Helpful

HDBank Network
Level 1
Level 1
In response to czaja0000

‎08-19-2013 07:38 AM

Thank czaja0000.

I tried 1 before but it didn't work.

With your option 2, I can not use it in my environment. At DC site, I use Checkpoint FW to establish VPN connection. My Checkpoint version does not support DPD.

0 Helpful
Customers Also Viewed These Support Documents