Re: VPN ISSUE !!

From: Bogdan Sass (bogdan.sass@catc.ro)
Date: Mon Oct 13 2008 - 04:49:57 ART

• Next message: Reza Toghraee: "Cisco Assessor Lab, is it a MUST?"
• Previous message: Reza Toghraee: "Corrected OSPF Question, how to prefer inter area routes, over"
• Maybe in reply to: Ovais Iqbal: "VPN ISSUE !!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ovais Iqbal wrote:
> Hello all, i am deploying VPN in my environment but face this strange issue, but first look at my scenario.
>
> I have 2 routers with 2 links to each other, 1 DSL and other Wimax. On both routers i have formed GRE tunnels lets name them tunnel 1 and tunnel 2. I am running ospf and have adjusted the cost such that tunnel 1 is primary and tunnel 2 is backup. so far everything is running fine. Now i want to deploy simple site to site vpn such that, when tunnel 1 is up VPN is formed between link 1, and when tunnel 1 is down and tunnel 2 is up VPN is formed between link 2. but i dont know how to do it, see following config
>
> tunnel 1 (Wimax) destination is lets say 1.1.1.1
> tunnel 2 (DSL) destination is 2.2.2.2
>
>
> crypto map mymap 10 ipsec-isakmp
> mat address 101
> set peer 1.1.1.1
> set peer 2.2.2.2
> set transform-set sample
>
> Now you can see the issue, crypto map doesnt care which tunnel my traffic is going through, it will make peer with 1.1.1.1 and thats all !!!, i want it to make vpn tunnel with both the peers that is 1.1.1.1 and 2.2.2.2, how can i do it ??? if this is not possible then suggest me what else to do, i know its a very common scenario there should be some solution to it,
>
>
    I do not understand what you want to accomplish. If you want the
2.2.2.2 endpoint to be a backup for 1.1.1.1 (so that when the first
tunnel is down, the second one is used), your configuration should work.
    With your config, the router tries the peers in order. If 1.1.1.1
doesn't reply, it will go to 2.2.2.2, and try to establish the VPN
through it.

    If, however, you wish both of the VPNs to be up at the same time, I
don't think that is possible (not with the same ACL matching interesting
traffic).

-- 
Bogdan Sass
CCAI,CCSP,JNCIA-ER,CCIE #22221 (RS)
Information Systems Security Professional
"Curiosity was framed - ignorance killed the cat"
Blogs and organic groups at http://www.ccie.net

• Next message: Reza Toghraee: "Cisco Assessor Lab, is it a MUST?"
• Previous message: Reza Toghraee: "Corrected OSPF Question, how to prefer inter area routes, over"
• Maybe in reply to: Ovais Iqbal: "VPN ISSUE !!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:20 ARST