Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
819
Views
20
Helpful
6
Replies

VRF and IPsec tunnel

MrBeginner
Spotlight
Spotlight

‎03-06-2021 12:18 AM

Hi ,

I would like to ask about the VRF . I don't much knowledge in VRF. our DC router  have 2 VRF to sperate remote user and our branch user. We apply ipsec profile on WAN interface which connected to branches router.But our branch router don't run VRF and running IPsec only . All are operation and work properly.

Existing Setting.jpg

Now we have the plan to add one router in DC side for redundancy . But secondary tunnel is not up.

So please let me know my design is wrong ?

Can i add one more tunnel in branch router without using GRE tunnel ?

upgrade.jpg

 

Labels:
0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎03-06-2021 12:48 AM - edited ‎03-06-2021 01:55 AM

Hi @MrBeginner 

Are you using tunnel interfaces or a crypto map?

If using a crypto map you just specify each DC router as a peer, this would be Active/Standby.

If using a tunnel interface (FlexVPN) then you could either have 2 tunnel interfaces or use FlexClient and specify in Active/Standby failover configuration.

If you need further assistance, can you please provide the configuration from your routers.

MrBeginner
Spotlight
Spotlight
In response to Rob Ingram

‎03-06-2021 09:07 AM

hi,

the main issue is i am using dc router are HP routers and branches router are cisco.HP forum is not active.So i post on this community

0 Helpful

Rob Ingram
VIP
VIP
In response to MrBeginner

‎03-06-2021 09:24 AM - edited ‎03-06-2021 09:30 AM

@MrBeginner  are you using a simple policy based VPN (crypto map)? What is your configuration? If you've defined 2 peers under the crypto map of the branch router, then the 2nd tunnel will only establish once the primary tunnel fails.

MHM Cisco World
VIP
VIP

‎03-06-2021 03:37 AM

two DC router to one branch router can not done except you use GRE using same WAN interface as tunnel source and tunnel destination is the two router of DC.

VRF of DC is not effect the Branch IPSec tunnel.

MrBeginner
Spotlight
Spotlight
In response to MHM Cisco World

‎03-06-2021 09:03 AM

Hi ,

do you mean DC site also use vrf with GRE,correct?

0 Helpful

MHM Cisco World
VIP
VIP
In response to MrBeginner

‎03-06-2021 10:21 AM

DC have two edge router each one have it VRF link to ISP.

here the source of tunnel is VRF not the tunnel itself. 

and hence you will get two GRE tunnel 

GRE Tunnel 1 source is vrf 1

GRE tunnel 2 source is vrf 2

Customers Also Viewed These Support Documents