5 Replies Latest reply on Oct 4, 2013 9:55 AM by matt

    VPN failover from Main Site (two wan) to Remote site (1 wan)

    touristsis Visitor

      Ok, I try to follow all the WAN / VPN failover with no luck.  I was able to get the Internet to failover, but not the VPN.  When I try to create two VPN from main to remote, it will not allow me to use the same peer ip address twice, or will it allow me to create a crypto ike with peer any twice?  Can any help me out?  See the error below.

       

      7100 at main location ----WAN 1 --------------------------------VPN WAN 1-------Remote

      ---------------------------------WAN 2 --------------------------------VPN WAN 1 ------Remote

      ip crypto

      !

      crypto ike policy 10

        initiate main

        respond main

        local-id address 24.24.24.24

        peer 44.44.44.44

        attribute 1

          encryption 3des

          hash md5

          authentication pre-share

       

      crypto ike policy 20
        initiate main
        respond main
        local-id address 34.34.34.34
        peer 44.44.44.44 - %IP address 44.44.44.44 is assigned to IKE policy 20 - Anyway Around this or any suggestion?

      Main(config-ike)#peer any %IKE policy 101 is already a "peer any" policy - This doesn't work neither - I can't have two VPN connected to a site with peer any?

        • Re: VPN failover from Main Site (two wan) to Remote site (1 wan)
          Employee

          This document covers redundant VPN backup:

          Configuring Redundant VPN Tunnel Failover in AOS

           

          For your application since one site has a single WAN as opposed to both sites having two WANs you will have to make some slight changes.  The side that has one WAN will have two IKE policies with two crypto map entries just like the guide details, but the side with two WANs will only have one IKE policy with two different crypto map entries.  Then the track would be applied to the primary crypto map entry so that it is removed when the primary WAN goes down and the failover kicks in.

           

          Before you configure anything you should be advised that this application is not supported on the NetVanta 7100.  Both route-maps and network monitor are used, which are not supported features on the NetVanta 7100 as outlined in our Feature Matrix

           

          Thanks,

          Matt

            • Re: VPN failover from Main Site (two wan) to Remote site (1 wan)
              touristsis Visitor

              Thans Matt, I'm really sorry, but I can be a bit slow.  Here's just a simple vpn question.

              Does the local id have to match the other side remote id? vise versa?
              Here are my the problem I'm running into........

               

              Example: MAIN SITE - 2 WAN - 1 crypto ike policy - 2 crypto map policy

               

              crypto ike policy 100

              initiate main

              respond main

              peer CC.CC.CC.CC
              local-id address AA.AA.AA.AA - WHICH IP ADDRESS do I use?  WAN 1 or WAN 2?

              attribute 1
              encryption 3des
              hash md5

              authentication pre-share

               

              ip crypto map VPN 30 ipsec-ike

                description remote

                match track PrimaryInternet

                match address ip VPN-30-vpn-selectors1

                set peer CC.CC.CC.CC

                set transform-set esp-3des-esp-md5-hmac

                ike-policy 100

               

              ip crypto map VPN 40 ipsec-ike

                description remote fail over VPN

                match address ip VPN-30-vpn-selectors1

                set peer CC.CC.CC.CC  

                set transform-set esp-3des-esp-md5-hmac

                ike-policy 100

               

              crypto ike remote-id address CC.CC.CC.CC preshared-key testpasword ike-policy 100 crypto map VPN 40 no-mode-config no-xauth ***** It will delete this one as soon as I add the other one

              crypto ike remote-id address CC.CC.CC.CC preshared-key testpasword ike-policy 100 crypto map VPN 30 no-mode-config no-xauth ***** It will delete this one as soon as I add the other one

              should I just a different remote-id besides the address?

               

              REMOTE SITE - 1 WAN - 2 crypto ike - 2 crypto map

               

              crypto ike policy 100

                initiate main

                respond anymode

                local-id address CC.CC.CC.CC

                peer AA.AA.AA.AA

                attribute 1

                  encryption 3des

                  hash md5

                  authentication pre-share

               

              crypto ike policy 101

                initiate aggressive

                respond aggressive

                local-id address CC.CC.CC.CC

                peer BB.BB.BB.BB

                attribute 1

                  encryption 3des

                  hash md5

                  authentication pre-share

               

              crypto ike remote-id address AA.AA.AA.AA preshared-key testpassword ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

              crypto ike remote-id address BB.BB.BB.BB preshared-key testpassword ike-policy 101 crypto map VPN 10 no-mode-config no-xauth

               

              ip crypto map VPN 10 ipsec-ike

                description MAINPRIMARY

                match track VPNPeerWAN1

                match address ip VPN-10-vpn-selectors1

                set peer AA.AA.AA.AA

                set transform-set esp-3des-esp-md5-hmac

                ike-policy 100

              ip crypto map VPN 11 ipsec-ike

                description MAINBACKUP

                match track NotVPNPeerWAN1

                match address ip VPN-10-vpn-selectors1

                set peer BB.BB.BB.BB

                set transform-set esp-3des-esp-md5-hmac

                ike-policy 101

               

              I'm really hoping that this make sense.  I'm having a hard time finding the combination that matches.

                • Re: VPN failover from Main Site (two wan) to Remote site (1 wan)
                  Employee

                  I have some additional information that will hopefully clear some of this this up.  For the site with 2 WANS, as long as you have it set to initiate and respond in main mode, you can omit the local-id statement, which will cause the egress WAN IP address to be used for the local-id.  You should also give the crypto maps different names instead of the same name with different sequence numbers (ex: ip crypto map VPN-PRIMARY 10 ipsec-ike and ip crypto map VPN-BACKUP 10 ipsec-ike).  I believe that will take care of the remote-id issue you are seeing. For the site with 1 WAN, you should make sure both ike policies are set to no initiate and respond main.  Also, that site should not use a track as it will just respond and not initiate.  Hopefully that helps.  If you have any more questions, please don't hesitate to respond.

                   

                  Thanks,

                  Matt

                    • Re: VPN failover from Main Site (two wan) to Remote site (1 wan)
                      touristsis Visitor

                      Thanks Matt again.

                       

                      It is good to know that I can omit the local-id if I'm using main mode.  That clear up 1 question.

                       

                       

                      I change the name to be something totally different, yet same issue.  I've change it from VPN 11 to BACKUPVPN 11.  Is it that we can't have to same remote id address?

                       

                       

                      crypto ike remote-id address CC.CC.CC.CC preshared-key testpasword ike-policy 100 crypto map VPN 10 no-mode-config no-xauth ***** It will delete this one as soon as I add the other one even AFTER I change the name to be something totally different like BACKUPVPN 11

                      crypto ike remote-id address CC.CC.CC.CC preshared-key testpasword ike-policy 100 crypto map BACKUPVPN 11 no-mode-config no-xauth ****It will delete this one as soon as I add the other one even AFTER I change the name to be something totally different like BACKUPVPN 11

                       

                      crypto ike policy 100

                      initiate main

                      respond main

                      peer CC.CC.CC.CC

                      attribute 1
                      encryption 3des
                      hash md5

                      authentication pre-share

                      ip crypto map VPN 10 ipsec-ike  - as You can see I do have a different name

                        description MAINPRIMARY

                        match track VPNPeerWAN1

                        match address ip VPN-10-vpn-selectors1

                        set peer AA.AA.AA.AA

                        set transform-set esp-3des-esp-md5-hmac

                        ike-policy 100

                       

                       

                      ip crypto map BACKUPVPN 11 ipsec-ike - as You can see I do have a different name

                        description MAINBACKUP

                        match track NotVPNPeerWAN1

                        match address ip VPN-10-vpn-selectors1

                        set peer BB.BB.BB.BB

                        set transform-set esp-3des-esp-md5-hmac

                        ike-policy 100

                        • Re: VPN failover from Main Site (two wan) to Remote site (1 wan)
                          Employee

                          Sorry for the confusion.  You are correct that AOS will not allow the second crypto ike remote-id statement with the same IP address.  There are two options for this setup.  The first is to only use one statement and omit the crypto map from it, as it is an optional parameter. Here is an example of the statement without the crypto map specified:

                          crypto ike remote-id address CC.CC.CC.CC preshared-key testpasword ike-policy 100 no-mode-config no-xauth

                          If it is omitted, AOS will automatically use the proper crypto map from the security association that is created.  However, if it is specified, that restricts the remote-id to a particular crypto map, and as you discovered duplicate statements with the same IP are not permitted.

                           

                          The other option, and the recommended approach, is at the 2 WAN site just have one ike policy with no local-id specified, and use only one crypto map with no track applied.  As long as ip crypto fast-failover is included in the configuration and Network Monitor is used to change the default route when the primary WAN goes down, a new tunnel will be initiated from the secondary WAN automatically.

                           

                          Thanks,

                          Matt