Link to home
Start Free TrialLog in
Avatar of swcrook
swcrookFlag for United States of America

asked on

Crypto Map Sequence Number / Peers

Hello experts.

Currently, I have two IPSEC site-to-site VPNs which have been setup via the SDM. On the main office router I have two crypto maps named SDM_CMAP_1 1 and SDM_CMAP_1 2. These two maps have identical information except the "match ip address" line which is 100 and 101.

SDM_CMAP_1 1 = match ip address 100
SDM_CMAP_1 2 = match ip address 101

On the external interface I have "crypto map SDM_CMAP_1". This doesn't have the sequence number associated with it. The tunnel under the SDM_CMAP_1 1 is up and running, but SDM_CMAP_1 2 is not.

Depending on the crypto map "SDM_CMAP_1 1" being assigned to a specific crypto map, the tunnel with this assigned comes up, and the other goes down. So, how can I bring both tunnels up at the same time?

Thanks for the help!

ASKER CERTIFIED SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of swcrook

ASKER

Here it is. Also, can you tell me how on the branch side, if the VPN tunnel is down, how can I allow the connection to allow traffic out so that users can browse the Internet, etc.?

!This is the running config of the router: 10.10.8.1
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CORP_VPN
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 xxxx
enable password xxxxx
!
no aaa new-model
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip domain name ga.local
ip name-server 12.x.16.x
ip name-server 12.x.17.x
!
!
!
username xxxxxxx
!
!
!
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 5
crypto isakmp key xxxxx address 173.x.x.237 no-xauth
crypto isakmp key xxxxx address 173.x.x.125 no-xauth
!
!
crypto ipsec transform-set MD5 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 173.x.x.125
set peer 173.x.x.125
set security-association lifetime seconds 28800
set security-association idle-time 28800
set transform-set MD5
set pfs group5
match address 100
reverse-route
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to 173.x.x.237
set peer 173.x.x.237
set security-association lifetime seconds 28800
set security-association idle-time 28800
set transform-set MD5
set pfs group5
match address 101
reverse-route
!
!
!
interface FastEthernet0/0
ip address 12.x.x.34 255.255.255.248
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
ip address 10.10.8.1 255.255.0.0
speed auto
full-duplex
no mop enabled
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 12.x.x.33
!
ip http server
no ip http secure-server
!
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 10.10.0.0 0.0.255.255 10.252.0.0 0.0.255.255
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.10.0.0 0.0.255.255 10.253.0.0 0.0.255.255
snmp-server community gasread RO
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password xxxxx
login
!
scheduler allocate 20000 1000
end
Avatar of swcrook

ASKER

I have it working. Thanks!

Can you tell me how to nat the connection so that when/if the tunnel goes down, we can allow the office to still get to the Internet. I just a need a general idea of what to do, and I will get it working in my lab.

You helped me with this problem with your original answer because not knowing VPN very well, I had the tunnel simply set up with "peers" of the two sites. So, with one tunnel I had both peers trying to connect through the same tunnel, doh!

That obviously didn't work because I didn't understand the concept of peers, so when I created the second tunnel instead, I still had the peer setup in the config. As soon as you mentioned overlapping, I fixed it. The above config was posted here after I deleted the peer. Way to catch an easy rookie mistake JFrederick29!
That config looks okay, can you provide the branch configs?

Based on your config, the branch Internet should be using the local ISP connection.  The problem may lie with DNS if you are providing your branch PC's with internal DNS servers and the tunnel is down.  Chances are though, if the tunnel is down, so is your Internet except for the rare occasion that the headend router is down.  You would need to change your PC's DNS servers to your ISP's in a tunnel failure situation.
Excellent.  Glad to help.  I posted right after you did.
Avatar of swcrook

ASKER

Thanks for the DNS tip. Couldn't I simply just add an external DNS server as a third entry locally on the branch machines? Anyhow, points forthcoming!
>Couldn't I simply just add an external DNS server as a third entry locally on the branch machines?

Logic would say yes but unfortunately no as Windows will move between DNS servers as they fail and stick with a particular DNS server in the client list.  So, if you lose the tunnel and the client is now using the ISP DNS server, when the tunnel comes back up, they won't be able to resolve anything internally as the queries will be sent to the ISP DNS server still.  Only until the ISP DNS server failed, would the client start using the internal DNS servers.  Never tried this but you could add the ISP DNS server as a 3rd server but explicitly block outbound DNS to your ISP's DNS servers on the router and when the tunnel fails, remove the block and then when the tunnel is back up, block it again.  That should work.
Avatar of swcrook

ASKER

Hit the nail on the head.