Solved

cisco 2911 ipsec

Posted on 2013-06-03
16
943 Views
Last Modified: 2013-06-25
I've got a cisco 2911 with a basic config... see below.   I need help bonding the 0/0 and 0/1 via multilink.  Then adding an ipsec tunnel

Cisco 2911
crypto isakmp policy 1
 encr aes 256
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ########  address 74.124.16.84
!
!
crypto ipsec transform-set cisco esp-seal esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
 set peer 24.173.1.145
 set transform-set cisco
 match address 100interface GigabitEthernet0/0
 description TimeW fiber
 ip address 24.173.1.151 255.255.255.240
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
crypto map cisco
 !
!
interface GigabitEthernet0/1
 description TimeW Coax
 ip address 97.79.164.76 255.255.255.240
 duplex auto
 speed auto
 !
!
interface GigabitEthernet0/2
 description $ES_LAN$
 ip address 10.0.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
 !
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 24.173.1.145
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit ip any any
access-list 100 permit tcp any host 24.173.1.145 eq www
access-list 100 permit tcp any host 24.173.1.145 eq 442
access-list 100 permit tcp any host 24.173.1.145 eq 443
access-list 100 permit tcp any host 24.173.1.145 eq 1743
access-list 100 permit tcp any host 24.173.1.145 eq smtp
access-list 100 permit tcp any host 24.173.1.145 eq pop3
access-list 100 permit tcp any host 24.173.1.148 eq pop3
access-list 100 permit tcp any host 24.173.1.148 eq smtp
access-list 104 permit ip any any
!
!
!
!
!
!
control-plane
 !
!
!
line con 0
line aux 0
line vty 0 4

basic ipsec set up on 5505 at other end is ...
Tunnel Name :  
Interface :  WAN1WAN2
Enable :  
 
 

--------------------------------------------------------------------------------
 
 
Local Group Setup
Local Security Gateway Type :  IP OnlyIP + Domain Name(FQDN) AuthenticationIP + Email Address(USER FQDN) AuthenticationDynamic IP + Domain Name(FQDN) AuthenticationDynamic IP + Email Address(USER FQDN) Authentication
IP Address :  24.173.1.146
Local Security Group Type :  IPSubnetIP Range
IP Address :  
Subnet Mask :  
 
 

--------------------------------------------------------------------------------
 
 
Remote Group Setup
Remote Security Gateway Type :  IP OnlyIP + Domain Name(FQDN) AuthenticationIP + Email Address(USER FQDN) AuthenticationDynamic IP + Domain Name(FQDN) AuthenticationDynamic IP + Email Address(USER FQDN) Authentication
IP AddressIP by DNS Resolved :  
Remote Security Group Type :  IPSubnetIP Range
IP Address :  
Subnet Mask :  
 
 

--------------------------------------------------------------------------------
 
 
IPSec Setup
Keying Mode :  ManualIKE with Preshared key
Phase 1 DH Group :  Group 1 - 768 bitGroup 2 - 1024 bitGroup 5 - 1536 bit
Phase 1 Encryption :  DES 3DES AES-128AES-192AES-256
Phase 1 Authentication :  MD5SHA1
Phase 1 SA Life Time :  seconds
Perfect Forward Secrecy :  
Phase 2 DH Group :  Group 1 - 768 bitGroup 2 - 1024 bitGroup 5 - 1536 bit
Phase 2 Encryption :  NULLDES3DES AES-128AES-192AES-256
Phase 2 Authentication :  NULLMD5SHA1
Phase 2 SA Life Time :  seconds
 
 
I'm pretty comfortable with ASA5505.  just need some help with format on this 2911.  thank you in advance for the help.
0
Comment
Question by:Triton11
  • 8
  • 5
  • 3
16 Comments
 
LVL 11

Expert Comment

by:naderz
ID: 39217697
What's connected to Gig 0/0 and Gig 0/1 on the other side?
0
 

Author Comment

by:Triton11
ID: 39217964
two  IPS both providing a Ethernet hand off.  full duplexing
0
 

Author Comment

by:Triton11
ID: 39219649
really just need to get the bonded piece working.   Haven't done this before.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 11

Expert Comment

by:naderz
ID: 39219738
One way would be L3 etherchannel.

Create a port-channel interface and place the GigE interfaces in that channel-group. Remove IP addresses from the GigE interfaces, and configure desired IP address on the Port-Channel interface. No IPs on the GigE interfaces themselves. Do the same appropriate changes on the other side.

This would provide load-balancing (per source and destination address) and redundancy.
0
 
LVL 11

Expert Comment

by:naderz
ID: 39219744
For any kind of bonding you need configurations at both ends. I am assuming that is doable in your case.
0
 

Author Comment

by:Triton11
ID: 39219754
no... different providers.   I'll have to settle for an auto fail over.
0
 
LVL 11

Expert Comment

by:naderz
ID: 39219795
Have you considered asking your ISPs about BGP routing? A little more setup and planning, but that would provide you with seamless fail over.
0
 

Author Comment

by:Triton11
ID: 39219805
that is an option.  Is there any way to configure this router to use both data pipes without help from the ISP?
0
 
LVL 11

Expert Comment

by:naderz
ID: 39220093
One way would be to provide two default routes one to each ISP's termination point. Then turn IP CEF on (if not already enabled) and try the following:

ip cef load-sharing algorithm include-ports source destination

This makes CEF use the hash of source and destination addresses (including the source port) for switching traffic between links. This should alternate, therefore the term load-balancing, between the two links.

You may get asymmetric routing back to your site, but that should not matter. We all probably get asymmetric routing within the ISP's network anyway. As long as the two ISPs are not way off in the RTT to a given destination, you should be OK.
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 500 total points
ID: 39220170
The best you can do with your current configuration is session-based load-balancing.

ip cef load-sharing algorithm include-ports source destination
!
ip route 0.0.0.0 0.0.0.0 24.173.1.145
ip route 0.0.0.0 0.0.0.0 x.x.x.x (or whatever your second gateway is)
0
 

Author Comment

by:Triton11
ID: 39220216
thx.  that x.x.x.x would be the gateway for gi 0/1.
0
 
LVL 11

Expert Comment

by:naderz
ID: 39220223
yes.
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 39220225
Correct. I didn't make out the configuration for Gi0/0 initially because the crypto configuration bled into it.
0
 
LVL 11

Expert Comment

by:naderz
ID: 39220379
jodylemoine: are you confirming what I had in post on 2013-06-04 at 12:25:01ID: 39220093?

You have the same solution that I had posted earlier.
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 39276936
naderz: It looks like we were both composing at the same time and you finished first. Your solution wasn't there when I started or I wouldn't have posted.
0
 
LVL 11

Expert Comment

by:naderz
ID: 39277167
jodylemoine: no worries. All is good.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question