cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Contributor III
Contributor III

VPN failover from Main Site (two wan) to Remote site (1 wan)

Jump to solution

Ok, I try to follow all the WAN / VPN failover with no luck.  I was able to get the Internet to failover, but not the VPN.  When I try to create two VPN from main to remote, it will not allow me to use the same peer ip address twice, or will it allow me to create a crypto ike with peer any twice?  Can any help me out?  See the error below.

7100 at main location ----WAN 1 --------------------------------VPN WAN 1-------Remote

---------------------------------WAN 2 --------------------------------VPN WAN 1 ------Remote

ip crypto

!

crypto ike policy 10

  initiate main

  respond main

  local-id address 24.24.24.24

  peer 44.44.44.44

  attribute 1

    encryption 3des

    hash md5

    authentication pre-share

crypto ike policy 20
  initiate main
  respond main
  local-id address 34.34.34.34
  peer 44.44.44.44 - %IP address 44.44.44.44 is assigned to IKE policy 20 - Anyway Around this or any suggestion?

Main(config-ike)#peer any %IKE policy 101 is already a "peer any" policy - This doesn't work neither - I can't have two VPN connected to a site with peer any?

Tags (4)
0 Kudos
Reply
1 Solution

Accepted Solutions
Highlighted
Anonymous
Not applicable

Re: VPN failover from Main Site (two wan) to Remote site (1 wan)

Jump to solution

Sorry for the confusion.  You are correct that AOS will not allow the second crypto ike remote-id statement with the same IP address.  There are two options for this setup.  The first is to only use one statement and omit the crypto map from it, as it is an optional parameter. Here is an example of the statement without the crypto map specified:


crypto ike remote-id address CC.CC.CC.CC preshared-key testpasword ike-policy 100 no-mode-config no-xauth


If it is omitted, AOS will automatically use the proper crypto map from the security association that is created.  However, if it is specified, that restricts the remote-id to a particular crypto map, and as you discovered duplicate statements with the same IP are not permitted.

The other option, and the recommended approach, is at the 2 WAN site just have one ike policy with no local-id specified, and use only one crypto map with no track applied.  As long as ip crypto fast-failover is included in the configuration and Network Monitor is used to change the default route when the primary WAN goes down, a new tunnel will be initiated from the secondary WAN automatically.

Thanks,

Matt

View solution in original post

0 Kudos
Reply
5 Replies
Highlighted
Anonymous
Not applicable

Re: VPN failover from Main Site (two wan) to Remote site (1 wan)

Jump to solution

This document covers redundant VPN backup:

For your application since one site has a single WAN as opposed to both sites having two WANs you will have to make some slight changes.  The side that has one WAN will have two IKE policies with two crypto map entries just like the guide details, but the side with two WANs will only have one IKE policy with two different crypto map entries.  Then the track would be applied to the primary crypto map entry so that it is removed when the primary WAN goes down and the failover kicks in.

Before you configure anything you should be advised that this application is not supported on the NetVanta 7100.  Both route-maps and network monitor are used, which are not supported features on the NetVanta 7100 as outlined in our Feature Matrix

Thanks,

Matt

0 Kudos
Highlighted
Contributor III
Contributor III

Re: VPN failover from Main Site (two wan) to Remote site (1 wan)

Jump to solution

Thans Matt, I'm really sorry, but I can be a bit slow.  Here's just a simple vpn question.

Does the local id have to match the other side remote id? vise versa?
Here are my the problem I'm running into........

Example: MAIN SITE - 2 WAN - 1 crypto ike policy - 2 crypto map policy

crypto ike policy 100

initiate main

respond main

peer CC.CC.CC.CC
local-id address AA.AA.AA.AA - WHICH IP ADDRESS do I use?  WAN 1 or WAN 2?

attribute 1
encryption 3des
hash md5

authentication pre-share

ip crypto map VPN 30 ipsec-ike

  description remote

  match track PrimaryInternet

  match address ip VPN-30-vpn-selectors1

  set peer CC.CC.CC.CC

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 100

ip crypto map VPN 40 ipsec-ike

  description remote fail over VPN

  match address ip VPN-30-vpn-selectors1

  set peer CC.CC.CC.CC  

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 100

crypto ike remote-id address CC.CC.CC.CC preshared-key testpasword ike-policy 100 crypto map VPN 40 no-mode-config no-xauth ***** It will delete this one as soon as I add the other one

crypto ike remote-id address CC.CC.CC.CC preshared-key testpasword ike-policy 100 crypto map VPN 30 no-mode-config no-xauth ***** It will delete this one as soon as I add the other one

should I just a different remote-id besides the address?

REMOTE SITE - 1 WAN - 2 crypto ike - 2 crypto map

crypto ike policy 100

  initiate main

  respond anymode

  local-id address CC.CC.CC.CC

  peer AA.AA.AA.AA

  attribute 1

    encryption 3des

    hash md5

    authentication pre-share

crypto ike policy 101

  initiate aggressive

  respond aggressive

  local-id address CC.CC.CC.CC

  peer BB.BB.BB.BB

  attribute 1

    encryption 3des

    hash md5

    authentication pre-share

crypto ike remote-id address AA.AA.AA.AA preshared-key testpassword ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

crypto ike remote-id address BB.BB.BB.BB preshared-key testpassword ike-policy 101 crypto map VPN 10 no-mode-config no-xauth

ip crypto map VPN 10 ipsec-ike

  description MAINPRIMARY

  match track VPNPeerWAN1

  match address ip VPN-10-vpn-selectors1

  set peer AA.AA.AA.AA

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 100

ip crypto map VPN 11 ipsec-ike

  description MAINBACKUP

  match track NotVPNPeerWAN1

  match address ip VPN-10-vpn-selectors1

  set peer BB.BB.BB.BB

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 101

I'm really hoping that this make sense.  I'm having a hard time finding the combination that matches.

0 Kudos
Highlighted
Anonymous
Not applicable

Re: VPN failover from Main Site (two wan) to Remote site (1 wan)

Jump to solution

I have some additional information that will hopefully clear some of this this up.  For the site with 2 WANS, as long as you have it set to initiate and respond in main mode, you can omit the local-id statement, which will cause the egress WAN IP address to be used for the local-id.  You should also give the crypto maps different names instead of the same name with different sequence numbers (ex: ip crypto map VPN-PRIMARY 10 ipsec-ike and ip crypto map VPN-BACKUP 10 ipsec-ike).  I believe that will take care of the remote-id issue you are seeing. For the site with 1 WAN, you should make sure both ike policies are set to no initiate and respond main.  Also, that site should not use a track as it will just respond and not initiate.  Hopefully that helps.  If you have any more questions, please don't hesitate to respond.

Thanks,

Matt

0 Kudos
Highlighted
Contributor III
Contributor III

Re: VPN failover from Main Site (two wan) to Remote site (1 wan)

Jump to solution

Thanks Matt again.

It is good to know that I can omit the local-id if I'm using main mode.  That clear up 1 question.

I change the name to be something totally different, yet same issue.  I've change it from VPN 11 to BACKUPVPN 11.  Is it that we can't have to same remote id address?

crypto ike remote-id address CC.CC.CC.CC preshared-key testpasword ike-policy 100 crypto map VPN 10 no-mode-config no-xauth ***** It will delete this one as soon as I add the other one even AFTER I change the name to be something totally different like BACKUPVPN 11

crypto ike remote-id address CC.CC.CC.CC preshared-key testpasword ike-policy 100 crypto map BACKUPVPN 11 no-mode-config no-xauth ****It will delete this one as soon as I add the other one even AFTER I change the name to be something totally different like BACKUPVPN 11

crypto ike policy 100

initiate main

respond main

peer CC.CC.CC.CC

attribute 1
encryption 3des
hash md5

authentication pre-share

ip crypto map VPN 10 ipsec-ike  - as You can see I do have a different name

  description MAINPRIMARY

  match track VPNPeerWAN1

  match address ip VPN-10-vpn-selectors1

  set peer AA.AA.AA.AA

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 100

ip crypto map BACKUPVPN 11 ipsec-ike - as You can see I do have a different name

  description MAINBACKUP

  match track NotVPNPeerWAN1

  match address ip VPN-10-vpn-selectors1

  set peer BB.BB.BB.BB

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 100

0 Kudos
Highlighted
Anonymous
Not applicable

Re: VPN failover from Main Site (two wan) to Remote site (1 wan)

Jump to solution

Sorry for the confusion.  You are correct that AOS will not allow the second crypto ike remote-id statement with the same IP address.  There are two options for this setup.  The first is to only use one statement and omit the crypto map from it, as it is an optional parameter. Here is an example of the statement without the crypto map specified:


crypto ike remote-id address CC.CC.CC.CC preshared-key testpasword ike-policy 100 no-mode-config no-xauth


If it is omitted, AOS will automatically use the proper crypto map from the security association that is created.  However, if it is specified, that restricts the remote-id to a particular crypto map, and as you discovered duplicate statements with the same IP are not permitted.

The other option, and the recommended approach, is at the 2 WAN site just have one ike policy with no local-id specified, and use only one crypto map with no track applied.  As long as ip crypto fast-failover is included in the configuration and Network Monitor is used to change the default route when the primary WAN goes down, a new tunnel will be initiated from the secondary WAN automatically.

Thanks,

Matt

View solution in original post

0 Kudos
Reply