Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

cisco 2911 ipsec

Posted on 2013-06-03
16
Medium Priority
?
1,002 Views
Last Modified: 2013-06-25
I've got a cisco 2911 with a basic config... see below.   I need help bonding the 0/0 and 0/1 via multilink.  Then adding an ipsec tunnel

Cisco 2911
crypto isakmp policy 1
 encr aes 256
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ########  address 74.124.16.84
!
!
crypto ipsec transform-set cisco esp-seal esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
 set peer 24.173.1.145
 set transform-set cisco
 match address 100interface GigabitEthernet0/0
 description TimeW fiber
 ip address 24.173.1.151 255.255.255.240
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
crypto map cisco
 !
!
interface GigabitEthernet0/1
 description TimeW Coax
 ip address 97.79.164.76 255.255.255.240
 duplex auto
 speed auto
 !
!
interface GigabitEthernet0/2
 description $ES_LAN$
 ip address 10.0.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
 !
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 24.173.1.145
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit ip any any
access-list 100 permit tcp any host 24.173.1.145 eq www
access-list 100 permit tcp any host 24.173.1.145 eq 442
access-list 100 permit tcp any host 24.173.1.145 eq 443
access-list 100 permit tcp any host 24.173.1.145 eq 1743
access-list 100 permit tcp any host 24.173.1.145 eq smtp
access-list 100 permit tcp any host 24.173.1.145 eq pop3
access-list 100 permit tcp any host 24.173.1.148 eq pop3
access-list 100 permit tcp any host 24.173.1.148 eq smtp
access-list 104 permit ip any any
!
!
!
!
!
!
control-plane
 !
!
!
line con 0
line aux 0
line vty 0 4

basic ipsec set up on 5505 at other end is ...
Tunnel Name :  
Interface :  WAN1WAN2
Enable :  
 
 

--------------------------------------------------------------------------------
 
 
Local Group Setup
Local Security Gateway Type :  IP OnlyIP + Domain Name(FQDN) AuthenticationIP + Email Address(USER FQDN) AuthenticationDynamic IP + Domain Name(FQDN) AuthenticationDynamic IP + Email Address(USER FQDN) Authentication
IP Address :  24.173.1.146
Local Security Group Type :  IPSubnetIP Range
IP Address :  
Subnet Mask :  
 
 

--------------------------------------------------------------------------------
 
 
Remote Group Setup
Remote Security Gateway Type :  IP OnlyIP + Domain Name(FQDN) AuthenticationIP + Email Address(USER FQDN) AuthenticationDynamic IP + Domain Name(FQDN) AuthenticationDynamic IP + Email Address(USER FQDN) Authentication
IP AddressIP by DNS Resolved :  
Remote Security Group Type :  IPSubnetIP Range
IP Address :  
Subnet Mask :  
 
 

--------------------------------------------------------------------------------
 
 
IPSec Setup
Keying Mode :  ManualIKE with Preshared key
Phase 1 DH Group :  Group 1 - 768 bitGroup 2 - 1024 bitGroup 5 - 1536 bit
Phase 1 Encryption :  DES 3DES AES-128AES-192AES-256
Phase 1 Authentication :  MD5SHA1
Phase 1 SA Life Time :  seconds
Perfect Forward Secrecy :  
Phase 2 DH Group :  Group 1 - 768 bitGroup 2 - 1024 bitGroup 5 - 1536 bit
Phase 2 Encryption :  NULLDES3DES AES-128AES-192AES-256
Phase 2 Authentication :  NULLMD5SHA1
Phase 2 SA Life Time :  seconds
 
 
I'm pretty comfortable with ASA5505.  just need some help with format on this 2911.  thank you in advance for the help.
0
Comment
Question by:Triton11
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
  • 3
16 Comments
 
LVL 11

Expert Comment

by:naderz
ID: 39217697
What's connected to Gig 0/0 and Gig 0/1 on the other side?
0
 

Author Comment

by:Triton11
ID: 39217964
two  IPS both providing a Ethernet hand off.  full duplexing
0
 

Author Comment

by:Triton11
ID: 39219649
really just need to get the bonded piece working.   Haven't done this before.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 11

Expert Comment

by:naderz
ID: 39219738
One way would be L3 etherchannel.

Create a port-channel interface and place the GigE interfaces in that channel-group. Remove IP addresses from the GigE interfaces, and configure desired IP address on the Port-Channel interface. No IPs on the GigE interfaces themselves. Do the same appropriate changes on the other side.

This would provide load-balancing (per source and destination address) and redundancy.
0
 
LVL 11

Expert Comment

by:naderz
ID: 39219744
For any kind of bonding you need configurations at both ends. I am assuming that is doable in your case.
0
 

Author Comment

by:Triton11
ID: 39219754
no... different providers.   I'll have to settle for an auto fail over.
0
 
LVL 11

Expert Comment

by:naderz
ID: 39219795
Have you considered asking your ISPs about BGP routing? A little more setup and planning, but that would provide you with seamless fail over.
0
 

Author Comment

by:Triton11
ID: 39219805
that is an option.  Is there any way to configure this router to use both data pipes without help from the ISP?
0
 
LVL 11

Expert Comment

by:naderz
ID: 39220093
One way would be to provide two default routes one to each ISP's termination point. Then turn IP CEF on (if not already enabled) and try the following:

ip cef load-sharing algorithm include-ports source destination

This makes CEF use the hash of source and destination addresses (including the source port) for switching traffic between links. This should alternate, therefore the term load-balancing, between the two links.

You may get asymmetric routing back to your site, but that should not matter. We all probably get asymmetric routing within the ISP's network anyway. As long as the two ISPs are not way off in the RTT to a given destination, you should be OK.
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 2000 total points
ID: 39220170
The best you can do with your current configuration is session-based load-balancing.

ip cef load-sharing algorithm include-ports source destination
!
ip route 0.0.0.0 0.0.0.0 24.173.1.145
ip route 0.0.0.0 0.0.0.0 x.x.x.x (or whatever your second gateway is)
0
 

Author Comment

by:Triton11
ID: 39220216
thx.  that x.x.x.x would be the gateway for gi 0/1.
0
 
LVL 11

Expert Comment

by:naderz
ID: 39220223
yes.
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 39220225
Correct. I didn't make out the configuration for Gi0/0 initially because the crypto configuration bled into it.
0
 
LVL 11

Expert Comment

by:naderz
ID: 39220379
jodylemoine: are you confirming what I had in post on 2013-06-04 at 12:25:01ID: 39220093?

You have the same solution that I had posted earlier.
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 39276936
naderz: It looks like we were both composing at the same time and you finished first. Your solution wasn't there when I started or I wouldn't have posted.
0
 
LVL 11

Expert Comment

by:naderz
ID: 39277167
jodylemoine: no worries. All is good.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question