Solved

cisco 2911 ipsec

Posted on 2013-06-03
16
931 Views
Last Modified: 2013-06-25
I've got a cisco 2911 with a basic config... see below.   I need help bonding the 0/0 and 0/1 via multilink.  Then adding an ipsec tunnel

Cisco 2911
crypto isakmp policy 1
 encr aes 256
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ########  address 74.124.16.84
!
!
crypto ipsec transform-set cisco esp-seal esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
 set peer 24.173.1.145
 set transform-set cisco
 match address 100interface GigabitEthernet0/0
 description TimeW fiber
 ip address 24.173.1.151 255.255.255.240
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
crypto map cisco
 !
!
interface GigabitEthernet0/1
 description TimeW Coax
 ip address 97.79.164.76 255.255.255.240
 duplex auto
 speed auto
 !
!
interface GigabitEthernet0/2
 description $ES_LAN$
 ip address 10.0.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
 !
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 24.173.1.145
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit ip any any
access-list 100 permit tcp any host 24.173.1.145 eq www
access-list 100 permit tcp any host 24.173.1.145 eq 442
access-list 100 permit tcp any host 24.173.1.145 eq 443
access-list 100 permit tcp any host 24.173.1.145 eq 1743
access-list 100 permit tcp any host 24.173.1.145 eq smtp
access-list 100 permit tcp any host 24.173.1.145 eq pop3
access-list 100 permit tcp any host 24.173.1.148 eq pop3
access-list 100 permit tcp any host 24.173.1.148 eq smtp
access-list 104 permit ip any any
!
!
!
!
!
!
control-plane
 !
!
!
line con 0
line aux 0
line vty 0 4

basic ipsec set up on 5505 at other end is ...
Tunnel Name :  
Interface :  WAN1WAN2
Enable :  
 
 

--------------------------------------------------------------------------------
 
 
Local Group Setup
Local Security Gateway Type :  IP OnlyIP + Domain Name(FQDN) AuthenticationIP + Email Address(USER FQDN) AuthenticationDynamic IP + Domain Name(FQDN) AuthenticationDynamic IP + Email Address(USER FQDN) Authentication
IP Address :  24.173.1.146
Local Security Group Type :  IPSubnetIP Range
IP Address :  
Subnet Mask :  
 
 

--------------------------------------------------------------------------------
 
 
Remote Group Setup
Remote Security Gateway Type :  IP OnlyIP + Domain Name(FQDN) AuthenticationIP + Email Address(USER FQDN) AuthenticationDynamic IP + Domain Name(FQDN) AuthenticationDynamic IP + Email Address(USER FQDN) Authentication
IP AddressIP by DNS Resolved :  
Remote Security Group Type :  IPSubnetIP Range
IP Address :  
Subnet Mask :  
 
 

--------------------------------------------------------------------------------
 
 
IPSec Setup
Keying Mode :  ManualIKE with Preshared key
Phase 1 DH Group :  Group 1 - 768 bitGroup 2 - 1024 bitGroup 5 - 1536 bit
Phase 1 Encryption :  DES 3DES AES-128AES-192AES-256
Phase 1 Authentication :  MD5SHA1
Phase 1 SA Life Time :  seconds
Perfect Forward Secrecy :  
Phase 2 DH Group :  Group 1 - 768 bitGroup 2 - 1024 bitGroup 5 - 1536 bit
Phase 2 Encryption :  NULLDES3DES AES-128AES-192AES-256
Phase 2 Authentication :  NULLMD5SHA1
Phase 2 SA Life Time :  seconds
 
 
I'm pretty comfortable with ASA5505.  just need some help with format on this 2911.  thank you in advance for the help.
0
Comment
Question by:Triton11
  • 8
  • 5
  • 3
16 Comments
 
LVL 11

Expert Comment

by:naderz
ID: 39217697
What's connected to Gig 0/0 and Gig 0/1 on the other side?
0
 

Author Comment

by:Triton11
ID: 39217964
two  IPS both providing a Ethernet hand off.  full duplexing
0
 

Author Comment

by:Triton11
ID: 39219649
really just need to get the bonded piece working.   Haven't done this before.
0
 
LVL 11

Expert Comment

by:naderz
ID: 39219738
One way would be L3 etherchannel.

Create a port-channel interface and place the GigE interfaces in that channel-group. Remove IP addresses from the GigE interfaces, and configure desired IP address on the Port-Channel interface. No IPs on the GigE interfaces themselves. Do the same appropriate changes on the other side.

This would provide load-balancing (per source and destination address) and redundancy.
0
 
LVL 11

Expert Comment

by:naderz
ID: 39219744
For any kind of bonding you need configurations at both ends. I am assuming that is doable in your case.
0
 

Author Comment

by:Triton11
ID: 39219754
no... different providers.   I'll have to settle for an auto fail over.
0
 
LVL 11

Expert Comment

by:naderz
ID: 39219795
Have you considered asking your ISPs about BGP routing? A little more setup and planning, but that would provide you with seamless fail over.
0
 

Author Comment

by:Triton11
ID: 39219805
that is an option.  Is there any way to configure this router to use both data pipes without help from the ISP?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 11

Expert Comment

by:naderz
ID: 39220093
One way would be to provide two default routes one to each ISP's termination point. Then turn IP CEF on (if not already enabled) and try the following:

ip cef load-sharing algorithm include-ports source destination

This makes CEF use the hash of source and destination addresses (including the source port) for switching traffic between links. This should alternate, therefore the term load-balancing, between the two links.

You may get asymmetric routing back to your site, but that should not matter. We all probably get asymmetric routing within the ISP's network anyway. As long as the two ISPs are not way off in the RTT to a given destination, you should be OK.
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 500 total points
ID: 39220170
The best you can do with your current configuration is session-based load-balancing.

ip cef load-sharing algorithm include-ports source destination
!
ip route 0.0.0.0 0.0.0.0 24.173.1.145
ip route 0.0.0.0 0.0.0.0 x.x.x.x (or whatever your second gateway is)
0
 

Author Comment

by:Triton11
ID: 39220216
thx.  that x.x.x.x would be the gateway for gi 0/1.
0
 
LVL 11

Expert Comment

by:naderz
ID: 39220223
yes.
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 39220225
Correct. I didn't make out the configuration for Gi0/0 initially because the crypto configuration bled into it.
0
 
LVL 11

Expert Comment

by:naderz
ID: 39220379
jodylemoine: are you confirming what I had in post on 2013-06-04 at 12:25:01ID: 39220093?

You have the same solution that I had posted earlier.
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 39276936
naderz: It looks like we were both composing at the same time and you finished first. Your solution wasn't there when I started or I wouldn't have posted.
0
 
LVL 11

Expert Comment

by:naderz
ID: 39277167
jodylemoine: no worries. All is good.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now