Ok, I try to follow all the WAN / VPN failover with no luck. I was able to get the Internet to failover, but not the VPN. When I try to create two VPN from main to remote, it will not allow me to use the same peer ip address twice, or will it allow me to create a crypto ike with peer any twice? Can any help me out? See the error below.
7100 at main location ----WAN 1 --------------------------------VPN WAN 1-------Remote
---------------------------------WAN 2 --------------------------------VPN WAN 1 ------Remote
ip crypto
!
crypto ike policy 10
initiate main
respond main
local-id address 24.24.24.24
peer 44.44.44.44
attribute 1
encryption 3des
hash md5
authentication pre-share
crypto ike policy 20
initiate main
respond main
local-id address 34.34.34.34
peer 44.44.44.44 - %IP address 44.44.44.44 is assigned to IKE policy 20 - Anyway Around this or any suggestion?
Main(config-ike)#peer any %IKE policy 101 is already a "peer any" policy - This doesn't work neither - I can't have two VPN connected to a site with peer any?
Sorry for the confusion. You are correct that AOS will not allow the second crypto ike remote-id statement with the same IP address. There are two options for this setup. The first is to only use one statement and omit the crypto map from it, as it is an optional parameter. Here is an example of the statement without the crypto map specified:
crypto ike remote-id address CC.CC.CC.CC preshared-key testpasword ike-policy 100 no-mode-config no-xauth
If it is omitted, AOS will automatically use the proper crypto map from the security association that is created. However, if it is specified, that restricts the remote-id to a particular crypto map, and as you discovered duplicate statements with the same IP are not permitted.
The other option, and the recommended approach, is at the 2 WAN site just have one ike policy with no local-id specified, and use only one crypto map with no track applied. As long as ip crypto fast-failover is included in the configuration and Network Monitor is used to change the default route when the primary WAN goes down, a new tunnel will be initiated from the secondary WAN automatically.
Thanks,
Matt
This document covers redundant VPN backup:
For your application since one site has a single WAN as opposed to both sites having two WANs you will have to make some slight changes. The side that has one WAN will have two IKE policies with two crypto map entries just like the guide details, but the side with two WANs will only have one IKE policy with two different crypto map entries. Then the track would be applied to the primary crypto map entry so that it is removed when the primary WAN goes down and the failover kicks in.
Before you configure anything you should be advised that this application is not supported on the NetVanta 7100. Both route-maps and network monitor are used, which are not supported features on the NetVanta 7100 as outlined in our Feature Matrix.
Thanks,
Matt
Thans Matt, I'm really sorry, but I can be a bit slow. Here's just a simple vpn question.
Does the local id have to match the other side remote id? vise versa?
Here are my the problem I'm running into........
Example: MAIN SITE - 2 WAN - 1 crypto ike policy - 2 crypto map policy
crypto ike policy 100
initiate main
respond main
peer CC.CC.CC.CC
local-id address AA.AA.AA.AA - WHICH IP ADDRESS do I use? WAN 1 or WAN 2?
attribute 1
encryption 3des
hash md5
authentication pre-share
ip crypto map VPN 30 ipsec-ike
description remote
match track PrimaryInternet
match address ip VPN-30-vpn-selectors1
set peer CC.CC.CC.CC
set transform-set esp-3des-esp-md5-hmac
ike-policy 100
ip crypto map VPN 40 ipsec-ike
description remote fail over VPN
match address ip VPN-30-vpn-selectors1
set peer CC.CC.CC.CC
set transform-set esp-3des-esp-md5-hmac
ike-policy 100
crypto ike remote-id address CC.CC.CC.CC preshared-key testpasword ike-policy 100 crypto map VPN 40 no-mode-config no-xauth ***** It will delete this one as soon as I add the other one
crypto ike remote-id address CC.CC.CC.CC preshared-key testpasword ike-policy 100 crypto map VPN 30 no-mode-config no-xauth ***** It will delete this one as soon as I add the other one
should I just a different remote-id besides the address?
REMOTE SITE - 1 WAN - 2 crypto ike - 2 crypto map
crypto ike policy 100
initiate main
respond anymode
local-id address CC.CC.CC.CC
peer AA.AA.AA.AA
attribute 1
encryption 3des
hash md5
authentication pre-share
crypto ike policy 101
initiate aggressive
respond aggressive
local-id address CC.CC.CC.CC
peer BB.BB.BB.BB
attribute 1
encryption 3des
hash md5
authentication pre-share
crypto ike remote-id address AA.AA.AA.AA preshared-key testpassword ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
crypto ike remote-id address BB.BB.BB.BB preshared-key testpassword ike-policy 101 crypto map VPN 10 no-mode-config no-xauth
ip crypto map VPN 10 ipsec-ike
description MAINPRIMARY
match track VPNPeerWAN1
match address ip VPN-10-vpn-selectors1
set peer AA.AA.AA.AA
set transform-set esp-3des-esp-md5-hmac
ike-policy 100
ip crypto map VPN 11 ipsec-ike
description MAINBACKUP
match track NotVPNPeerWAN1
match address ip VPN-10-vpn-selectors1
set peer BB.BB.BB.BB
set transform-set esp-3des-esp-md5-hmac
ike-policy 101
I'm really hoping that this make sense. I'm having a hard time finding the combination that matches.
I have some additional information that will hopefully clear some of this this up. For the site with 2 WANS, as long as you have it set to initiate and respond in main mode, you can omit the local-id statement, which will cause the egress WAN IP address to be used for the local-id. You should also give the crypto maps different names instead of the same name with different sequence numbers (ex: ip crypto map VPN-PRIMARY 10 ipsec-ike and ip crypto map VPN-BACKUP 10 ipsec-ike). I believe that will take care of the remote-id issue you are seeing. For the site with 1 WAN, you should make sure both ike policies are set to no initiate and respond main. Also, that site should not use a track as it will just respond and not initiate. Hopefully that helps. If you have any more questions, please don't hesitate to respond.
Thanks,
Matt
Thanks Matt again.
It is good to know that I can omit the local-id if I'm using main mode. That clear up 1 question.
I change the name to be something totally different, yet same issue. I've change it from VPN 11 to BACKUPVPN 11. Is it that we can't have to same remote id address?
crypto ike remote-id address CC.CC.CC.CC preshared-key testpasword ike-policy 100 crypto map VPN 10 no-mode-config no-xauth ***** It will delete this one as soon as I add the other one even AFTER I change the name to be something totally different like BACKUPVPN 11
crypto ike remote-id address CC.CC.CC.CC preshared-key testpasword ike-policy 100 crypto map BACKUPVPN 11 no-mode-config no-xauth ****It will delete this one as soon as I add the other one even AFTER I change the name to be something totally different like BACKUPVPN 11
crypto ike policy 100
initiate main
respond main
peer CC.CC.CC.CC
attribute 1
encryption 3des
hash md5
authentication pre-share
ip crypto map VPN 10 ipsec-ike - as You can see I do have a different name
description MAINPRIMARY
match track VPNPeerWAN1
match address ip VPN-10-vpn-selectors1
set peer AA.AA.AA.AA
set transform-set esp-3des-esp-md5-hmac
ike-policy 100
ip crypto map BACKUPVPN 11 ipsec-ike - as You can see I do have a different name
description MAINBACKUP
match track NotVPNPeerWAN1
match address ip VPN-10-vpn-selectors1
set peer BB.BB.BB.BB
set transform-set esp-3des-esp-md5-hmac
ike-policy 100
Sorry for the confusion. You are correct that AOS will not allow the second crypto ike remote-id statement with the same IP address. There are two options for this setup. The first is to only use one statement and omit the crypto map from it, as it is an optional parameter. Here is an example of the statement without the crypto map specified:
crypto ike remote-id address CC.CC.CC.CC preshared-key testpasword ike-policy 100 no-mode-config no-xauth
If it is omitted, AOS will automatically use the proper crypto map from the security association that is created. However, if it is specified, that restricts the remote-id to a particular crypto map, and as you discovered duplicate statements with the same IP are not permitted.
The other option, and the recommended approach, is at the 2 WAN site just have one ike policy with no local-id specified, and use only one crypto map with no track applied. As long as ip crypto fast-failover is included in the configuration and Network Monitor is used to change the default route when the primary WAN goes down, a new tunnel will be initiated from the secondary WAN automatically.
Thanks,
Matt