Support
Community

This document covers redundant VPN backup:

For your application since one site has a single WAN as opposed to both sites having two WANs you will have to make some slight changes.  The side that has one WAN will have two IKE policies with two crypto map entries just like the guide details, but the side with two WANs will only have one IKE policy with two different crypto map entries.  Then the track would be applied to the primary crypto map entry so that it is removed when the primary WAN goes down and the failover kicks in.

Before you configure anything you should be advised that this application is not supported on the NetVanta 7100.  Both route-maps and network monitor are used, which are not supported features on the NetVanta 7100 as outlined in our Feature Matrix. 

Thanks,

Matt

Thans Matt, I'm really sorry, but I can be a bit slow.  Here's just a simple vpn question.

Does the local id have to match the other side remote id? vise versa?
Here are my the problem I'm running into........

Example: MAIN SITE - 2 WAN - 1 crypto ike policy - 2 crypto map policy

crypto ike policy 100

initiate main

respond main

peer CC.CC.CC.CC
local-id address AA.AA.AA.AA - WHICH IP ADDRESS do I use?  WAN 1 or WAN 2?

attribute 1
encryption 3des
hash md5

authentication pre-share

ip crypto map VPN 30 ipsec-ike

  description remote

  match track PrimaryInternet

  match address ip VPN-30-vpn-selectors1

  set peer CC.CC.CC.CC

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 100

ip crypto map VPN 40 ipsec-ike

  description remote fail over VPN

  match address ip VPN-30-vpn-selectors1

  set peer CC.CC.CC.CC  

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 100

crypto ike remote-id address CC.CC.CC.CC preshared-key testpasword ike-policy 100 crypto map VPN 40 no-mode-config no-xauth ***** It will delete this one as soon as I add the other one

crypto ike remote-id address CC.CC.CC.CC preshared-key testpasword ike-policy 100 crypto map VPN 30 no-mode-config no-xauth ***** It will delete this one as soon as I add the other one

should I just a different remote-id besides the address?

REMOTE SITE - 1 WAN - 2 crypto ike - 2 crypto map

crypto ike policy 100

  initiate main

  respond anymode

  local-id address CC.CC.CC.CC

  peer AA.AA.AA.AA

  attribute 1

    encryption 3des

    hash md5

    authentication pre-share

crypto ike policy 101

  initiate aggressive

  respond aggressive

  local-id address CC.CC.CC.CC

  peer BB.BB.BB.BB

  attribute 1

    encryption 3des

    hash md5

    authentication pre-share

crypto ike remote-id address AA.AA.AA.AA preshared-key testpassword ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

crypto ike remote-id address BB.BB.BB.BB preshared-key testpassword ike-policy 101 crypto map VPN 10 no-mode-config no-xauth

ip crypto map VPN 10 ipsec-ike

  description MAINPRIMARY

  match track VPNPeerWAN1

  match address ip VPN-10-vpn-selectors1

  set peer AA.AA.AA.AA

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 100

ip crypto map VPN 11 ipsec-ike

  description MAINBACKUP

  match track NotVPNPeerWAN1

  match address ip VPN-10-vpn-selectors1

  set peer BB.BB.BB.BB

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 101

I'm really hoping that this make sense.  I'm having a hard time finding the combination that matches.

I have some additional information that will hopefully clear some of this this up.  For the site with 2 WANS, as long as you have it set to initiate and respond in main mode, you can omit the local-id statement, which will cause the egress WAN IP address to be used for the local-id.  You should also give the crypto maps different names instead of the same name with different sequence numbers (ex: ip crypto map VPN-PRIMARY 10 ipsec-ike and ip crypto map VPN-BACKUP 10 ipsec-ike).  I believe that will take care of the remote-id issue you are seeing. For the site with 1 WAN, you should make sure both ike policies are set to no initiate and respond main.  Also, that site should not use a track as it will just respond and not initiate.  Hopefully that helps.  If you have any more questions, please don't hesitate to respond.

Thanks,

Matt

Thanks Matt again.

It is good to know that I can omit the local-id if I'm using main mode.  That clear up 1 question.

I change the name to be something totally different, yet same issue.  I've change it from VPN 11 to BACKUPVPN 11.  Is it that we can't have to same remote id address?

crypto ike remote-id address CC.CC.CC.CC preshared-key testpasword ike-policy 100 crypto map VPN 10 no-mode-config no-xauth ***** It will delete this one as soon as I add the other one even AFTER I change the name to be something totally different like BACKUPVPN 11

crypto ike remote-id address CC.CC.CC.CC preshared-key testpasword ike-policy 100 crypto map BACKUPVPN 11 no-mode-config no-xauth ****It will delete this one as soon as I add the other one even AFTER I change the name to be something totally different like BACKUPVPN 11

crypto ike policy 100

initiate main

respond main

peer CC.CC.CC.CC

attribute 1
encryption 3des
hash md5

authentication pre-share

ip crypto map VPN 10 ipsec-ike  - as You can see I do have a different name

  description MAINPRIMARY

  match track VPNPeerWAN1

  match address ip VPN-10-vpn-selectors1

  set peer AA.AA.AA.AA

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 100

ip crypto map BACKUPVPN 11 ipsec-ike - as You can see I do have a different name

  description MAINBACKUP

  match track NotVPNPeerWAN1

  match address ip VPN-10-vpn-selectors1

  set peer BB.BB.BB.BB

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 100