VPN tunnel doesn't terminate on secondary ip address

Discussion in 'Cisco' started by Keith Hall, Dec 14, 2003.

  1. Keith Hall

    Keith Hall Guest

    We want to be able to have redundancy on our 1721 router which has an
    ethernet interface connected to two ISPs (primary ip address (call it
    A) and a secondary ip address (call it B))

    This part works fine from an ip routing point of view (two default
    routes to each of the next hop routers)

    But problem occurs when trying to run VPN tunnels via the secondary
    ISP (address B).

    VPN clients can connect to IP address A no problem.

    VPN clients can't connect to IP address B - it authenticates the user,
    negotiates security policies, but during the 'securing communications
    channel' phase, "Reason 403: Unable to contact the security gateway"
    occurs.

    I have a feeling it is failing simply because it is not the PRIMARY
    address on the interface. Same goes for a VPN tunnel between two 1721
    routers - they only communicate via the primary ip address.

    Swapping addresses A and B around so A becomes secondary moves the
    problem to address A, so I have it firmly in my mind that this is a
    secondary address issue and not an ISP issue.

    I wanted to try setting up subinterfaces Eth0.1 and Eth0.2 so
    addresses A and B are 'primary' addresses, but I don't think this can
    be achieved on the Ethernet0 interface

    I've tried creating a Loopback0 interface for address B and tying to
    the same crypto map as the ethernet interface, with some routing
    hacks, but this doesn't work either - VPN clients authenticate and
    secure channel, but don't receive any packets as it insists on sending
    packets out via the primary address on the ethernet interface. Reverse
    route injection didn't help either.

    I'm at a loss how this can be achieved now without purchasing a 2nd
    wic-1e card for the router (which in my mind shouldn't be necessary!),
    so any pointers very welcome!

    Has anyone managed to get something like this working?

    Regards,

    Keith.
    Keith Hall, Dec 14, 2003
    #1
    1. Advertising

  2. Keith Hall

    ganlet Guest

    ok what i dont understand is what you are refering to as the primary
    interface because it in the ios there isnt' anything called the
    primary interface i have 2 guess as to what you are referign too
    either: you have to two isps and you have a higher administrative
    distance on one so all traffic will go out the one interface by
    default but you said you were load balancing or you only applied the
    crypto map to one interface and are refering to that as the primary
    becasue of that but you said it went through authentication and it
    wouldnt' have if you didnt' have a crypto map applied. like i said i
    dont understand what you are refering to as the primary also if you
    really want to have an answer to your question it woudl be alot more
    useful to have the config or least the ipsec sections and assignments
    to the interfaces just change the global ips and the passwords. it
    should work though nicely because i have tried applyin the same map to
    two interfaces and it works on both.
    ganlet, Dec 15, 2003
    #2
    1. Advertising

  3. Keith Hall

    Keith Hall Guest

    (ganlet) wrote in message news:<>...
    > ok what i dont understand is what you are refering to as the primary
    > interface because it in the ios there isnt' anything called the


    not primary interface, primary /address/ on interface

    > should work though nicely because i have tried applyin the same map to
    > two interfaces and it works on both.


    yes, two interfaces would work, but what about two addresses on ONE
    interface.

    Main bits of configuration below. What I am saying is that in this
    instance, a connection can be made to 69.7.66.21 (primary) but not
    204.193.8.133 (secondary)

    Keith.


    version 12.3
    !
    boot system flash:c1700-k9o3sy7-mz.123-2.T.bin
    aaa new-model
    aaa authentication login userauthen group radius
    aaa authorization network groupauthor local
    aaa accounting network default start-stop group radius
    aaa accounting network dialin start-stop group radius
    aaa session-id common
    ip subnet-zero
    no ip source-route
    !
    !
    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp policy 25
    encr 3des
    authentication pre-share
    crypto isakmp key key address 184.5.16.33 no-xauth
    !
    crypto isakmp client configuration group remotegroup
    key abcdefgh
    dns 192.168.129.3
    wins 192.168.129.3
    domain int
    pool ippool
    acl 110
    save-password
    !
    !
    crypto ipsec transform-set ESP esp-3des esp-sha-hmac
    crypto ipsec transform-set dialin esp-3des esp-md5-hmac
    !
    crypto dynamic-map dynmap 20
    set transform-set dialin
    !
    !
    crypto map GRE client authentication list userauthen
    crypto map GRE client accounting list dialin
    crypto map GRE isakmp authorization list groupauthor
    crypto map GRE client configuration address respond
    crypto map GRE 10 ipsec-isakmp
    set peer 184.5.16.33
    set transform-set ESP
    match address 111
    crypto map GRE 50 ipsec-isakmp dynamic dynmap
    !
    !
    interface Tunnel0
    ip address 192.168.11.129 255.255.255.0
    ip mtu 1500
    tunnel source Ethernet0
    tunnel destination 184.5.16.33
    !
    interface Ethernet0
    ip address 204.193.8.133 255.255.252.0 secondary
    ip address 69.7.66.21 255.255.255.240
    no ip route-cache
    no ip split-horizon
    no ip mroute-cache
    half-duplex
    crypto map GRE
    !
    interface FastEthernet0
    ip address 192.168.129.1 255.255.255.0
    ip access-group 101 in
    no ip redirects
    no ip mroute-cache
    speed auto
    full-duplex
    !
    router rip
    network 192.168.0.0
    !
    ip local pool ippool 192.168.21.100 192.168.21.200
    ip classless
    ip route 0.0.0.0 0.0.0.0 69.7.66.17
    ip route 0.0.0.0 0.0.0.0 204.193.8.1
    !
    !
    access-list 1 permit 192.168.0.0 0.0.255.255
    access-list 1 permit 184.5.16.32 0.0.0.15
    access-list 1 permit 69.7.66.16 0.0.0.15
    access-list 1 permit 204.193.8.128 0.0.0.15
    access-list 101 permit ip 192.168.0.0 0.0.255.255 any
    access-list 110 permit ip 192.168.0.0 0.0.255.255 192.168.21.0
    0.0.0.255
    access-list 111 permit gre host 69.7.66.21 host 184.5.16.33
    access-list 111 permit gre host 204.193.8.133 host 184.5.16.33
    !
    radius-server host 192.168.129.2 auth-port 1812 acct-port 1813 key 7
    adfs
    radius-server host 192.168.2.7 auth-port 1812 acct-port 1813 key 7
    adfs
    !
    end

    Regards,

    Keith.
    Keith Hall, Dec 16, 2003
    #3
  4. Keith Hall

    Keith Hall Guest

    Surely someone somewhere is running a config similar to this?

    Keith.
    Keith Hall, Dec 17, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. a.nonny mouse
    Replies:
    2
    Views:
    1,074
  2. Trouble
    Replies:
    0
    Views:
    570
    Trouble
    Aug 4, 2006
  3. Trouble
    Replies:
    1
    Views:
    518
  4. Replies:
    2
    Views:
    3,454
    Vincent C Jones
    Jun 5, 2007
  5. NateVR
    Replies:
    0
    Views:
    794
    NateVR
    May 20, 2009
Loading...

Share This Page