IPSEC with 2 ISPs to Single destination [7:74173]

CCNP .CA Tue, 19 Aug 2003 07:18:24 -0700

Configuration setup.

Site to site vpn.


   /----- ISP 1
R1 -------ISP 2   ISP 3 --- R3
            

Physical Interfaces:
   R1 has 2 interfaces connected to 2 ISPs
   R3 has 1 interface connected to 1 ISP.

Logical: 
   R1 has 2 IPSEC encapsulated GRE tunnels to R3. 1
Single Endpoint.
   R3 has 2 IPSEC encapsulated GRE tunnels to R1. 2
different Endpoints.


The problem:
   Getting R1 to forward IPSEC traffic to separate 
   ISPs according to Source since the destination
   is the same (R3)
   I tried routemap (see R1 config) but IPSEC is
performed after
   routemap.  The 2 IPSEC tunnel traffic (ie. from
100.100.100.1 to 50.50.50.3
   and 200.200.200.1 to 50.50.50.3) both go to one ISP
or other if
   I have default route in there.

   How do I traffic from 100.100.100.1 to to ISP1,
from 200.200.200.1 go
   to ISP 2.
   


######### R1 Router. 2 ISP interfaces. 2 Tunnel
interfaces.

!
version 12.3
!
hostname R1
!
!
ip subnet-zero
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key abc123 address 50.50.50.50
!
!
crypto ipsec transform-set myTrans esp-3des
esp-md5-hmac 
!
crypto map myMap local-address Ethernet1/0
crypto map myMap 1 ipsec-isakmp 
 set peer 50.50.50.3
 set transform-set myTrans 
 match address 100
!
crypto map myMap2 local-address Ethernet1/1
crypto map myMap2 1 ipsec-isakmp 
 set peer 50.50.50.3
 set transform-set myTrans 
 match address 101
!
!
!
!
interface Loopback0
 ip address 192.168.1.1 255.255.255.255
!
interface Tunnel0
 ip address 192.168.10.1 255.255.255.0
 keepalive 10 3
 tunnel source Loopback0
 tunnel destination 192.168.1.3
 crypto map myMap
!
interface Tunnel1
 ip address 192.168.20.1 255.255.255.0
 keepalive 10 3
 tunnel source Loopback0
 tunnel destination 192.168.2.3
 crypto map myMap2
!
interface Ethernet0/0
 description R1 Internal LAN
 ip address 20.20.20.0 255.255.255.0
 half-duplex

!
!
interface Ethernet1/0
 ip address 100.100.100.1 255.255.255.0
 half-duplex
 crypto map myMap
!
interface Ethernet1/1
 ip address 200.200.200.1 255.255.255.0
 half-duplex
 crypto map myMap2
!
ip local policy route-map myRoute
!
ip classless
ip route 10.10.10.0 255.255.255.0 Tunnel0
ip route 10.10.10.0 255.255.255.0 Tunnel1
ip route 10.10.10.0 255.255.255.0 Null0 150
ip route 192.168.1.3 255.255.255.255 Ethernet1/0
ip route 192.168.2.3 255.255.255.255 Ethernet1/1
!
!
access-list 100 permit gre host 192.168.1.1 host
192.168.1.3
access-list 101 permit gre host 192.168.1.1 host
192.168.2.3
!
access-list 188 permit ip host 100.100.100.1 any
access-list 199 permit ip host 200.200.200.1 any
!
route-map myRoute permit 10
 match ip address 188
 set ip next-hop 100.100.100.2
!
route-map myRoute permit 20
 match ip address 199
 set ip next-hop 200.200.200.2
!
!
!
dial-peer cor custom
!
!
line con 0
line aux 0
line vty 0 4
 no login
!
!
end

R1#



######### R2 ISP Router -- Simulating ISP connections.


version 12.3
!
hostname R2
!
!
ip subnet-zero
!
!
interface Ethernet0/0
 description to Router R3
 ip address 50.50.50.2 255.255.255.0
 no ip proxy-arp
 half-duplex
!
interface Ethernet1/0
 description to Router 1 E1/0
 ip address 100.100.100.2 255.255.255.0
 no ip proxy-arp
 half-duplex
!
interface Ethernet1/1
 description to Router 1 E1/1
 ip address 200.200.200.2 255.255.255.0
 no ip proxy-arp
 half-duplex
!
ip classless
!
!
!
line con 0
line aux 0
line vty 0 4

end

R2# 




######### R3 Router - Single ISP connection. Two
tunnel interfaces.

version 12.3
!
hostname R3
!
!
ip subnet-zero
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key abc123 address 100.100.100.1
crypto isakmp key abc123 address 200.200.200.1
!
!
crypto ipsec transform-set myTrans esp-3des
esp-md5-hmac 
!
crypto map myMap local-address Ethernet1/0

crypto map myMap 10 ipsec-isakmp 
 set peer 100.100.100.1
 set transform-set myTrans 
 match address 100

crypto map myMap 20 ipsec-isakmp 
 set peer 200.200.200.1
 set transform-set myTrans 
 match address 101
!
!
!
interface Loopback0
 ip address 192.168.1.3 255.255.255.255
!
interface Loopback1
 ip address 192.168.2.3 255.255.255.255
!
interface Tunnel0
 ip address 192.168.10.3 255.255.255.0
 keepalive 10 3
 tunnel source Loopback0
 tunnel destination 192.168.1.1
 crypto map myMap
!
interface Tunnel1
 ip address 192.168.20.3 255.255.255.0
 keepalive 10 3
 tunnel source Loopback1
 tunnel destination 192.168.1.1
 crypto map myMap
!
interface Ethernet0/0
 description to Internal LAN
 ip address 10.10.10.1 255.255.255.0
 half-duplex
!
interface Ethernet1/0
 ip address 50.50.50.3 255.255.255.0
 half-duplex
 crypto map myMap
!
!
ip classless
ip route 20.20.20.0 255.255.255.0 Tunnel0
ip route 20.20.20.0 255.255.255.0 Tunnel1
ip route 192.168.1.1 255.255.255.255 Ethernet1/0
!
!
access-list 100 permit gre host 192.168.1.3 host
192.168.1.1
access-list 101 permit gre host 192.168.2.3 host
192.168.1.1
!

!
line con 0
line aux 0
line vty 0 4
!
end

R3# 



 
 


______________________________________________________________________ 
Post your free ad now! http://personals.yahoo.ca




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=74173&t=74173
--------------------------------------------------
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

IPSEC with 2 ISPs to Single destination [7:74173]

Reply via email to