VPN tunnel doesn't terminate on secondary ip address

Discussion in 'Cisco' started by Keith Hall, Dec 14, 2003.

  1. Keith Hall

    Keith Hall Guest

    We want to be able to have redundancy on our 1721 router which has an
    ethernet interface connected to two ISPs (primary ip address (call it
    A) and a secondary ip address (call it B))

    This part works fine from an ip routing point of view (two default
    routes to each of the next hop routers)

    But problem occurs when trying to run VPN tunnels via the secondary
    ISP (address B).

    VPN clients can connect to IP address A no problem.

    VPN clients can't connect to IP address B - it authenticates the user,
    negotiates security policies, but during the 'securing communications
    channel' phase, "Reason 403: Unable to contact the security gateway"

    I have a feeling it is failing simply because it is not the PRIMARY
    address on the interface. Same goes for a VPN tunnel between two 1721
    routers - they only communicate via the primary ip address.

    Swapping addresses A and B around so A becomes secondary moves the
    problem to address A, so I have it firmly in my mind that this is a
    secondary address issue and not an ISP issue.

    I wanted to try setting up subinterfaces Eth0.1 and Eth0.2 so
    addresses A and B are 'primary' addresses, but I don't think this can
    be achieved on the Ethernet0 interface

    I've tried creating a Loopback0 interface for address B and tying to
    the same crypto map as the ethernet interface, with some routing
    hacks, but this doesn't work either - VPN clients authenticate and
    secure channel, but don't receive any packets as it insists on sending
    packets out via the primary address on the ethernet interface. Reverse
    route injection didn't help either.

    I'm at a loss how this can be achieved now without purchasing a 2nd
    wic-1e card for the router (which in my mind shouldn't be necessary!),
    so any pointers very welcome!

    Has anyone managed to get something like this working?


    Keith Hall, Dec 14, 2003
    1. Advertisements

  2. Keith Hall

    ganlet Guest

    ok what i dont understand is what you are refering to as the primary
    interface because it in the ios there isnt' anything called the
    primary interface i have 2 guess as to what you are referign too
    either: you have to two isps and you have a higher administrative
    distance on one so all traffic will go out the one interface by
    default but you said you were load balancing or you only applied the
    crypto map to one interface and are refering to that as the primary
    becasue of that but you said it went through authentication and it
    wouldnt' have if you didnt' have a crypto map applied. like i said i
    dont understand what you are refering to as the primary also if you
    really want to have an answer to your question it woudl be alot more
    useful to have the config or least the ipsec sections and assignments
    to the interfaces just change the global ips and the passwords. it
    should work though nicely because i have tried applyin the same map to
    two interfaces and it works on both.
    ganlet, Dec 15, 2003
    1. Advertisements

  3. Keith Hall

    Keith Hall Guest

    not primary interface, primary /address/ on interface
    yes, two interfaces would work, but what about two addresses on ONE

    Main bits of configuration below. What I am saying is that in this
    instance, a connection can be made to (primary) but not (secondary)


    version 12.3
    boot system flash:c1700-k9o3sy7-mz.123-2.T.bin
    aaa new-model
    aaa authentication login userauthen group radius
    aaa authorization network groupauthor local
    aaa accounting network default start-stop group radius
    aaa accounting network dialin start-stop group radius
    aaa session-id common
    ip subnet-zero
    no ip source-route
    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp policy 25
    encr 3des
    authentication pre-share
    crypto isakmp key key address no-xauth
    crypto isakmp client configuration group remotegroup
    key abcdefgh
    domain int
    pool ippool
    acl 110
    crypto ipsec transform-set ESP esp-3des esp-sha-hmac
    crypto ipsec transform-set dialin esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 20
    set transform-set dialin
    crypto map GRE client authentication list userauthen
    crypto map GRE client accounting list dialin
    crypto map GRE isakmp authorization list groupauthor
    crypto map GRE client configuration address respond
    crypto map GRE 10 ipsec-isakmp
    set peer
    set transform-set ESP
    match address 111
    crypto map GRE 50 ipsec-isakmp dynamic dynmap
    interface Tunnel0
    ip address
    ip mtu 1500
    tunnel source Ethernet0
    tunnel destination
    interface Ethernet0
    ip address secondary
    ip address
    no ip route-cache
    no ip split-horizon
    no ip mroute-cache
    crypto map GRE
    interface FastEthernet0
    ip address
    ip access-group 101 in
    no ip redirects
    no ip mroute-cache
    speed auto
    router rip
    ip local pool ippool
    ip classless
    ip route
    ip route
    access-list 1 permit
    access-list 1 permit
    access-list 1 permit
    access-list 1 permit
    access-list 101 permit ip any
    access-list 110 permit ip
    access-list 111 permit gre host host
    access-list 111 permit gre host host
    radius-server host auth-port 1812 acct-port 1813 key 7
    radius-server host auth-port 1812 acct-port 1813 key 7


    Keith Hall, Dec 16, 2003
  4. Keith Hall

    Keith Hall Guest

    Surely someone somewhere is running a config similar to this?

    Keith Hall, Dec 17, 2003
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.