Answer the question
In order to leave comments, you need to log in
J
J
Jonhy2022-04-04 19:42:15
Jonhy, 2022-04-04 19:42:15
How to set up 2ISP on each router on both sides of ipsec vpn?
The task is to set up a site-to-site vpn. In this case, two providers are used on both sides. That is, so that the first provider on one side has a tunnel with both providers on the other side. At the moment, it was possible to set up a tunnel (ipsec vpn) between the first providers and the second providers (1 and 1, 2 and 2). But when setting 1 and 2, 2 and 1 there is a problem with routes. Internet access is reserved using ip sla and route-map.
Attached is the configuration of both routers.
Building configuration...
Current configuration : 3671 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R9
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 source-interface FastEthernet0/0
frequency 10
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 77.77.77.1 source-interface FastEthernet0/0
frequency 10
ip sla monitor reaction-configuration 2 threshold-falling 5000
ip sla monitor schedule 2 life forever start-time now
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key CISCO address 44.44.44.2
crypto isakmp key CISCO address 55.55.55.2
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 44.44.44.2
set transform-set TS
match address FOR_VPN
!
crypto map CMAP2 20 ipsec-isakmp
set peer 55.55.55.2
set transform-set TS
match address FOR_VPN
!
!
!
!
interface FastEthernet0/0
ip address 77.77.77.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CMAP
!
interface FastEthernet0/1
ip address 172.16.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
no switchport
ip address 11.11.11.2 255.255.255.252
ip nat outside
ip virtual-reassembly
crypto map CMAP2
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
!
interface Vlan1
no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 77.77.77.1 track 1
ip route 192.168.1.0 255.255.255.0 10.0.0.1 track 2
ip route 0.0.0.0 0.0.0.0 11.11.11.1 10
ip route 8.8.8.8 255.255.255.255 77.77.77.1
ip route 192.168.1.0 255.255.255.0 10.0.1.1 10
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map ISP1 interface FastEthernet0/0 overload
ip nat inside source route-map ISP2 interface FastEthernet1/0 overload
!
ip access-list extended FOR_VPN
permit ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 1 permit 172.16.0.0 0.0.0.255
access-list 100 deny ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 172.16.0.0 0.0.0.255 any
no cdp log mismatch duplex
!
route-map ISP2 permit 10
match ip address 100
match interface FastEthernet1/0
!
route-map ISP1 permit 10
match ip address 100
match interface FastEthernet0/0
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
event manager applet TRACK_DOWN
event syslog pattern "1 rtr 1 reachability Up->Down"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
action 3.0 syslog msg "ISP 1 is DOWN"
event manager applet TRACK_UP
event syslog pattern "1 rtr 1 reachability Down->Up"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
action 3.0 syslog msg "ISP 1 is UP"
!
end
Building configuration...
Current configuration : 3473 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 source-interface FastEthernet0/0
frequency 10
ip sla monitor schedule 1 life forever start-time now
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
track 1 rtr 1 reachability
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key CISCO address 77.77.77.2
crypto isakmp key CISCO address 11.11.11.2
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 77.77.77.2
set transform-set TS
match address FOR_VPN
!
crypto map CMAP2 20 ipsec-isakmp
set peer 11.11.11.2
set transform-set TS
match address FOR_VPN
!
!
!
!
interface FastEthernet0/0
ip address 44.44.44.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CMAP
!
interface FastEthernet0/1
ip address 55.55.55.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CMAP2
!
interface FastEthernet1/0
no switchport
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
!
interface Vlan1
no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 44.44.44.1 track 1
ip route 0.0.0.0 0.0.0.0 55.55.55.1 10
ip route 8.8.8.8 255.255.255.255 44.44.44.1
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map ISP1 interface FastEthernet0/0 overload
ip nat inside source route-map ISP2 interface FastEthernet0/1 overload
!
ip access-list extended FOR_VPN
permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255
!
access-list 100 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
no cdp log mismatch duplex
!
route-map ISP2 permit 10
match ip address 100
match interface FastEthernet0/1
!
route-map ISP1 permit 10
match ip address 100
match interface FastEthernet0/0
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
event manager applet TRACK_DOWN
event syslog pattern "1 rtr 1 reachability Up->Down"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
action 3.0 syslog msg "ISP 1 is DOWN"
event manager applet TRACK_UP
event syslog pattern "1 rtr 1 reachability Down->Up"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
action 3.0 syslog msg "ISP 1 is UP"
event manager applet VKL
event timer countdown time 180
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "int f0/0"
action 4.0 cli command "no shut"
!
end
Similar questions
S
Y
A
A
S
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question