Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help with Second Peer Host

Status
Not open for further replies.
quickconnect

quickconnect

IS-IT--Management
May 5, 2003
70
0
0
US
Our company will be switching External addressed shortly and want to see if you all can help me make sure I can so this and do it correctly.

Currently our Cisco 1700 series router are doing a Site-2-Site back to the main office (3000 series Cisco Concentrator) head end device. The routers currently point to our VRRP address which will change. What I want to accomplish is setting up a second peer host in the routers prior to the IP conversion. I want to set the new VRRP Address on the the router so that on the day of cutover My routers with just blip and connect to the new address.

Current my config looks like this:
crypto isakmp policy 110
hash md5
authentication pre-share
lifetime 600
crypto isakmp key XXXXX address 65.221.x.x
!
crypto ipsec security-association lifetime seconds 600
!
crypto ipsec transform-set drbset esp-3des esp-md5-hmac
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
crypto map drbmap 10 ipsec-isakmp
set peer 65.221.x.x
set transform-set drbset
match address 101


Can I just do this then when the conversion is over and all the tunnels come back up I can remove the old statment?

New Config:
crypto isakmp policy 110
hash md5
authentication pre-share
lifetime 600
crypto isakmp key cms7655drb address 65.221.x.x
crypto isakmp key cms7655drb address 64.200.x.x
!
crypto ipsec security-association lifetime seconds 600
!
crypto ipsec transform-set drbset esp-3des esp-md5-hmac
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
crypto map drbmap 10 ipsec-isakmp
set peer 65.221.x.x
set peer 64.200.x.x
set transform-set drbset
match address 101
 
Sort by date Sort by votes
Yes, it will work. You will need to add a secondary route to the new VRRP destination to use the new tunnel as an alternate path if the primary is not established.

Is the change going to be a full cut-over? Are you getting a new ISP? Can you have both subnets available at the same time for a period of time? Because you could take your redundant 3000 and configure it on the new subnet in your VRRP configuration with the new IP scheme. It of course would be the active concentrator (on that subnet) because it would see the other. While the tunnel is established over the old subnet create/add the new parameters to the new destination and swing it over. And then move the original VRRP 3000 to the new subnet once all you sites have moved over to the new destination. Then of course the old subnet could be removed from your ISP.

Wait a minute, Does VRRP allow load balancing? I mean is it an all-or-nothing on both Private and public? I can’t remember the differences in two high availability solutions.

Anyway your idea for configuring the second tunnel will work provided you have the secondary route pointed at that destination.



Also, when you get done give us all a summery of the success/challenges. Not only do we benefit from direct help but benefit from others experiences.
 
Upvote 0 Downvote
Ru55ell,

Curently we have two concentrators (Cisco 3060's) and setup in fail-over not load-balanced. So they way it works is all VPN Clients and Site-2-Sites point to the VRRP address and if the Primary reports as DOWN then the Secondary (backup Cocnetrator) becomes primary. So yes only one concetrator can accept connections at one given time..

Im a bit confussed about the second route? How would I configure that? Do I really need an alternative route if Im actually only pointing to one (VRRP) Address?
 
Upvote 0 Downvote
I'm an ID10T :)

I may be wrong. Do you specify any static routes to the VRRP in use today? I think you’ll know where the network (other side of the tunnel) is once the tunnel is established. I believe if you were in the router and did a show IP route, the concentrator LAN would show up in the table.

I would only suggest you brush up on the command syntax. You’ll need to add the word “default” in the code you posted.

crypto map drbmap 10 ipsec-isakmp
set peer 65.221.x.x default
set peer 64.200.x.x
 
Upvote 0 Downvote
Ru55ell

Yes the routing information in specified in the Concentrator as it know where to push all the VPN traffic too.

I have also looked at all my router configs and I currently dont have a "default" statement next to the set peer 65.221.x.x I suppose this is because I only have one peer specified correct? So when I add the second peer address do I need to add the "default" statement as you listed above?
 
Upvote 0 Downvote
Correct, add the default statement to one of the two entries.
 
Upvote 0 Downvote
OK I will let you know how this all goes when we cut over.. thanks for your help..
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

testman1
  • Locked
  • Question
SIP telephone ring on second call
Replies
0
Views
66
testman1
testman1
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
117
Jared R
Jared R
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat
Replies
1
Views
87
BIS
BIS
inlsp05
  • Locked
  • Question
2811 ios start with cf
Replies
0
Views
46
inlsp05
inlsp05
khashyar2021
  • Locked
  • Question
Problem with cisco switch after upgrading
Replies
1
Views
72
Geraldine Souza
Geraldine Souza

Part and Inventory Search

Sponsor

Back
Top