J
J
Jonhy2022-04-04 19:42:15
Cisco
Jonhy, 2022-04-04 19:42:15

How to set up 2ISP on each router on both sides of ipsec vpn?

The task is to set up a site-to-site vpn. In this case, two providers are used on both sides. That is, so that the first provider on one side has a tunnel with both providers on the other side. At the moment, it was possible to set up a tunnel (ipsec vpn) between the first providers and the second providers (1 and 1, 2 and 2). But when setting 1 and 2, 2 and 1 there is a problem with routes. Internet access is reserved using ip sla and route-map.

Attached is the configuration of both routers.

Building configuration...

Current configuration : 3671 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R9
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip sla monitor 1
 type echo protocol ipIcmpEcho 8.8.8.8 source-interface FastEthernet0/0
 frequency 10
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
 type echo protocol ipIcmpEcho 77.77.77.1 source-interface FastEthernet0/0
 frequency 10
ip sla monitor reaction-configuration 2 threshold-falling 5000
ip sla monitor schedule 2 life forever start-time now
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key CISCO address 44.44.44.2
crypto isakmp key CISCO address 55.55.55.2
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
 set peer 44.44.44.2
 set transform-set TS
 match address FOR_VPN
!
crypto map CMAP2 20 ipsec-isakmp
 set peer 55.55.55.2
 set transform-set TS
 match address FOR_VPN
!
!
!
!
interface FastEthernet0/0
 ip address 77.77.77.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map CMAP
!
interface FastEthernet0/1
 ip address 172.16.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1/0
 no switchport
 ip address 11.11.11.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 crypto map CMAP2
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
!
interface Vlan1
 no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 77.77.77.1 track 1
ip route 192.168.1.0 255.255.255.0 10.0.0.1 track 2
ip route 0.0.0.0 0.0.0.0 11.11.11.1 10
ip route 8.8.8.8 255.255.255.255 77.77.77.1
ip route 192.168.1.0 255.255.255.0 10.0.1.1 10
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map ISP1 interface FastEthernet0/0 overload
ip nat inside source route-map ISP2 interface FastEthernet1/0 overload
!
ip access-list extended FOR_VPN
 permit ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 1 permit 172.16.0.0 0.0.0.255
access-list 100 deny   ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 172.16.0.0 0.0.0.255 any
no cdp log mismatch duplex
!
route-map ISP2 permit 10
 match ip address 100
 match interface FastEthernet1/0
!
route-map ISP1 permit 10
 match ip address 100
 match interface FastEthernet0/0
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
event manager applet TRACK_DOWN
 event syslog pattern "1 rtr 1 reachability Up->Down"
 action 1.0 cli command "enable"
 action 2.0 cli command "clear ip nat translation *"
 action 3.0 syslog msg "ISP 1 is DOWN"
event manager applet TRACK_UP
 event syslog pattern "1 rtr 1 reachability Down->Up"
 action 1.0 cli command "enable"
 action 2.0 cli command "clear ip nat translation *"
 action 3.0 syslog msg "ISP 1 is UP"
!
end



Building configuration...

Current configuration : 3473 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip sla monitor 1
 type echo protocol ipIcmpEcho 8.8.8.8 source-interface FastEthernet0/0
 frequency 10
ip sla monitor schedule 1 life forever start-time now
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
track 1 rtr 1 reachability
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key CISCO address 77.77.77.2
crypto isakmp key CISCO address 11.11.11.2
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
 set peer 77.77.77.2
 set transform-set TS
 match address FOR_VPN
!
crypto map CMAP2 20 ipsec-isakmp
 set peer 11.11.11.2
 set transform-set TS
 match address FOR_VPN
!
!
!
!
interface FastEthernet0/0
 ip address 44.44.44.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map CMAP
!
interface FastEthernet0/1
 ip address 55.55.55.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map CMAP2
!
interface FastEthernet1/0
 no switchport
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
!
interface Vlan1
 no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 44.44.44.1 track 1
ip route 0.0.0.0 0.0.0.0 55.55.55.1 10
ip route 8.8.8.8 255.255.255.255 44.44.44.1
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map ISP1 interface FastEthernet0/0 overload
ip nat inside source route-map ISP2 interface FastEthernet0/1 overload
!
ip access-list extended FOR_VPN
 permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255
!
access-list 100 deny   ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
no cdp log mismatch duplex
!
route-map ISP2 permit 10
 match ip address 100
 match interface FastEthernet0/1
!
route-map ISP1 permit 10
 match ip address 100
 match interface FastEthernet0/0
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
event manager applet TRACK_DOWN
 event syslog pattern "1 rtr 1 reachability Up->Down"
 action 1.0 cli command "enable"
 action 2.0 cli command "clear ip nat translation *"
 action 3.0 syslog msg "ISP 1 is DOWN"
event manager applet TRACK_UP
 event syslog pattern "1 rtr 1 reachability Down->Up"
 action 1.0 cli command "enable"
 action 2.0 cli command "clear ip nat translation *"
 action 3.0 syslog msg "ISP 1 is UP"
event manager applet VKL
 event timer countdown time 180
 action 1.0 cli command "enable"
 action 2.0 cli command "conf t"
 action 3.0 cli command "int f0/0"
 action 4.0 cli command "no shut"
!
end

Answer the question

In order to leave comments, you need to log in

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question