cisco 2911 ipsec

I've got a cisco 2911 with a basic config... see below.   I need help bonding the 0/0 and 0/1 via multilink.  Then adding an ipsec tunnel

Cisco 2911
crypto isakmp policy 1
 encr aes 256
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ########  address 74.124.16.84
!
!
crypto ipsec transform-set cisco esp-seal esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
 set peer 24.173.1.145
 set transform-set cisco
 match address 100interface GigabitEthernet0/0
 description TimeW fiber
 ip address 24.173.1.151 255.255.255.240
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
crypto map cisco
 !
!
interface GigabitEthernet0/1
 description TimeW Coax
 ip address 97.79.164.76 255.255.255.240
 duplex auto
 speed auto
 !
!
interface GigabitEthernet0/2
 description $ES_LAN$
 ip address 10.0.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
 !
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 24.173.1.145
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit ip any any
access-list 100 permit tcp any host 24.173.1.145 eq www
access-list 100 permit tcp any host 24.173.1.145 eq 442
access-list 100 permit tcp any host 24.173.1.145 eq 443
access-list 100 permit tcp any host 24.173.1.145 eq 1743
access-list 100 permit tcp any host 24.173.1.145 eq smtp
access-list 100 permit tcp any host 24.173.1.145 eq pop3
access-list 100 permit tcp any host 24.173.1.148 eq pop3
access-list 100 permit tcp any host 24.173.1.148 eq smtp
access-list 104 permit ip any any
!
!
!
!
!
!
control-plane
 !
!
!
line con 0
line aux 0
line vty 0 4

basic ipsec set up on 5505 at other end is ...
Tunnel Name :  
Interface :  WAN1WAN2
Enable :  
 
 

--------------------------------------------------------------------------------
 
 
Local Group Setup
Local Security Gateway Type :  IP OnlyIP + Domain Name(FQDN) AuthenticationIP + Email Address(USER FQDN) AuthenticationDynamic IP + Domain Name(FQDN) AuthenticationDynamic IP + Email Address(USER FQDN) Authentication
IP Address :  24.173.1.146
Local Security Group Type :  IPSubnetIP Range
IP Address :  
Subnet Mask :  
 
 

--------------------------------------------------------------------------------
 
 
Remote Group Setup
Remote Security Gateway Type :  IP OnlyIP + Domain Name(FQDN) AuthenticationIP + Email Address(USER FQDN) AuthenticationDynamic IP + Domain Name(FQDN) AuthenticationDynamic IP + Email Address(USER FQDN) Authentication
IP AddressIP by DNS Resolved :  
Remote Security Group Type :  IPSubnetIP Range
IP Address :  
Subnet Mask :  
 
 

--------------------------------------------------------------------------------
 
 
IPSec Setup
Keying Mode :  ManualIKE with Preshared key
Phase 1 DH Group :  Group 1 - 768 bitGroup 2 - 1024 bitGroup 5 - 1536 bit
Phase 1 Encryption :  DES 3DES AES-128AES-192AES-256
Phase 1 Authentication :  MD5SHA1
Phase 1 SA Life Time :  seconds
Perfect Forward Secrecy :  
Phase 2 DH Group :  Group 1 - 768 bitGroup 2 - 1024 bitGroup 5 - 1536 bit
Phase 2 Encryption :  NULLDES3DES AES-128AES-192AES-256
Phase 2 Authentication :  NULLMD5SHA1
Phase 2 SA Life Time :  seconds
 
 
I'm pretty comfortable with ASA5505.  just need some help with format on this 2911.  thank you in advance for the help.
Triton11Asked:
Who is Participating?
 
Jody LemoineNetwork ArchitectCommented:
The best you can do with your current configuration is session-based load-balancing.

ip cef load-sharing algorithm include-ports source destination
!
ip route 0.0.0.0 0.0.0.0 24.173.1.145
ip route 0.0.0.0 0.0.0.0 x.x.x.x (or whatever your second gateway is)
0
 
naderzCommented:
What's connected to Gig 0/0 and Gig 0/1 on the other side?
0
 
Triton11Author Commented:
two  IPS both providing a Ethernet hand off.  full duplexing
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Triton11Author Commented:
really just need to get the bonded piece working.   Haven't done this before.
0
 
naderzCommented:
One way would be L3 etherchannel.

Create a port-channel interface and place the GigE interfaces in that channel-group. Remove IP addresses from the GigE interfaces, and configure desired IP address on the Port-Channel interface. No IPs on the GigE interfaces themselves. Do the same appropriate changes on the other side.

This would provide load-balancing (per source and destination address) and redundancy.
0
 
naderzCommented:
For any kind of bonding you need configurations at both ends. I am assuming that is doable in your case.
0
 
Triton11Author Commented:
no... different providers.   I'll have to settle for an auto fail over.
0
 
naderzCommented:
Have you considered asking your ISPs about BGP routing? A little more setup and planning, but that would provide you with seamless fail over.
0
 
Triton11Author Commented:
that is an option.  Is there any way to configure this router to use both data pipes without help from the ISP?
0
 
naderzCommented:
One way would be to provide two default routes one to each ISP's termination point. Then turn IP CEF on (if not already enabled) and try the following:

ip cef load-sharing algorithm include-ports source destination

This makes CEF use the hash of source and destination addresses (including the source port) for switching traffic between links. This should alternate, therefore the term load-balancing, between the two links.

You may get asymmetric routing back to your site, but that should not matter. We all probably get asymmetric routing within the ISP's network anyway. As long as the two ISPs are not way off in the RTT to a given destination, you should be OK.
0
 
Triton11Author Commented:
thx.  that x.x.x.x would be the gateway for gi 0/1.
0
 
naderzCommented:
yes.
0
 
Jody LemoineNetwork ArchitectCommented:
Correct. I didn't make out the configuration for Gi0/0 initially because the crypto configuration bled into it.
0
 
naderzCommented:
jodylemoine: are you confirming what I had in post on 2013-06-04 at 12:25:01ID: 39220093?

You have the same solution that I had posted earlier.
0
 
Jody LemoineNetwork ArchitectCommented:
naderz: It looks like we were both composing at the same time and you finished first. Your solution wasn't there when I started or I wouldn't have posted.
0
 
naderzCommented:
jodylemoine: no worries. All is good.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.