[c-nsp] Backup VPN not working? IOS to 2 3000's

ChrisSerafin chris at chrisserafin.com
Tue May 15 18:38:21 EDT 2007


I'm trying to create a VPN tunnel from an IOS router to 2 different 3000 
concentrators. The 1st VPN works great, but the 2nd says it's VPN is 
built, but no traffic is traversing the tunnel when I kill the primary 
tunnel. I have a feeling it's some routing error somewhere or I need to 
assign admin distances to the router for floating default routes. My 
next question is, is this even possible to have 2 tunnels into a network 
with out creating loops of some kind...? FYI: these VPN3000 boxes are 
not on the same network, and actually in different countries. Please 
check out the attached config.

!
hostname prague1811
!
ip cef
!
no ip domain lookup
ip domain name xxxxxxx.com
ip ssh version 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key !!@@##xxxxxx!!@@## address xx.xx.130.25 <MainVPN3000>
crypto isakmp key !!@@##xxxxxx!!@@## address xx.xx.27.254 <BackupVPN3000>
!
crypto ipsec transform-set ptvset esp-3des esp-md5-hmac
!
crypto map ptvmap 1 ipsec-isakmp
set peer xx.xx.130.25 <MainVPN3000>
set peer xx.xx.27.254 <BackupVPN3000>
set security-association lifetime seconds 86400
set transform-set ptvset
match address 110
!
interface FastEthernet0
description [ Outside Interface ]
ip address xx.xx.70.129 255.255.255.248
ip access-group XXXX_WAN_Ingress in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map ptvmap
!
interface FastEthernet1
description [ Internal Interface ]
ip address 10.100.52.1 255.255.255.0
ip access-group XXXX_LAN_Ingress in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
ip route 0.0.0.0 0.0.0.0 xx.xx.70.134
ip route 10.0.0.0 255.0.0.0 xx.xx.70.134
ip route 10.0.0.0 255.255.0.0 xx.xx.70.134
ip route 10.71.0.0 255.255.0.0 xx.xx.70.134
ip route 10.72.0.0 255.255.0.0 xx.xx.70.134
ip route 10.95.1.0 255.255.255.0 xx.xx.70.134
ip route 10.95.10.0 255.255.255.0 xx.xx.70.134
ip route 10.95.11.0 255.255.255.0 xx.xx.70.134
ip route 10.95.12.0 255.255.255.0 xx.xx.70.134
ip route 10.95.13.0 255.255.255.0 xx.xx.70.134
ip route 10.95.14.0 255.255.255.0 xx.xx.70.134
ip route 10.96.2.0 255.255.255.0 xx.xx.70.134
ip route 10.96.4.0 255.255.252.0 xx.xx.70.134
ip route 10.97.4.0 255.255.255.0 xx.xx.70.134
ip route 10.98.16.0 255.255.255.0 xx.xx.70.134
!
ip nat inside source list 100 interface FastEthernet0 overload
ip nat inside source static tcp 10.100.52.253 26 interface FastEthernet0 25
!
ip access-list extended XXXX_LAN_Ingress
permit ip 10.100.52.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.100.52.0 0.0.0.255 206.198.0.0 0.0.255.255
permit ip 10.100.52.0 0.0.0.255 host 207.230.27.135
permit tcp host 10.100.52.253 any eq smtp
permit ip host 10.100.52.253 any
deny ip any any
ip access-list extended XXXX_WAN_Ingress
permit icmp any host xx.xx.70.129 echo
permit icmp any host xx.xx.70.129 echo-reply
permit icmp any host xx.xx.70.129 host-unreachable
permit ip host <mainVPN3000> host <This router>
permit ip host <BackupVPN3000> host <This router>
permit tcp any any established
deny ip any any log
!
access-list 100 remark [ ACL for NAT VPN traversal ]
access-list 100 deny ip 10.100.52.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 10.100.52.0 0.0.0.255 any

access-list 110 remark [ ACL to define VPN interesting traffic ]
access-list 110 permit ip 10.100.52.0 0.0.0.255 10.0.0.0 0.255.255.255

prague1811#sh cry
prague1811#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
xx.xx.70.129 <MainVPN3000> QM_IDLE 2090 0 ACTIVE
xx.xx.70.129 <BackupVPN3000> QM_IDLE whatever ACTIVE

IPv6 Crypto ISAKMP SA



Chris Serafin
Security Engineer
chris at chrisserafin.com <mailto:chris at chrisserafin.com>



More information about the cisco-nsp mailing list