x*********n
发帖数: 28013 | 1 客户说VPN tunnel 上不了,ping xxxx source xxxx,不work。
然后我看router,发现2个tunnel,其中一个move掉了,第二个其实是work的。结果把
第一个crypto remove,问题就解决了。
但是我不明白,为啥多一个crypto就有问题呢?router不是像ACL一样,找一个,找不
到再往下找的么?
crypto map vpnmap 6 ipsec-isakmp
description To_Providence_new
set peer WAN IP 1
set transform-set vpnset
match address To_Providence
crypto map vpnmap 7 ipsec-isakmp
description To_Providence_new
set peer WAN IP 2
set transform-set vpnset
match address To_Providence | s*****g
发帖数: 1055 | 2 Mostly the first IKE SA is up, and IPsec SA of first peer's life time did
not expire yet (no DPD configured?), so traffic is being sent to that IPsec
SA and got black holed.
There are many gotta's in redundant IPsec GW design especially in the hub
site, you should troubleshoot to see why IPsec SA with the first peer failed
, removing the first peer will temporarily resolve your problem, but you are
losing redundancy, which is against the original design goal.
【在 x*********n 的大作中提到】
: 客户说VPN tunnel 上不了,ping xxxx source xxxx,不work。
: 然后我看router,发现2个tunnel,其中一个move掉了,第二个其实是work的。结果把
: 第一个crypto remove,问题就解决了。
: 但是我不明白,为啥多一个crypto就有问题呢?router不是像ACL一样,找一个,找不
: 到再往下找的么?
: crypto map vpnmap 6 ipsec-isakmp
: description To_Providence_new
: set peer WAN IP 1
: set transform-set vpnset
: match address To_Providence
| x*********n
发帖数: 28013 | 3 哦。。解释的好牛啊,我看其他site都是一条tunnel的,好像没有redundancy。
IPsec
failed
are
【在 s*****g 的大作中提到】
: Mostly the first IKE SA is up, and IPsec SA of first peer's life time did
: not expire yet (no DPD configured?), so traffic is being sent to that IPsec
: SA and got black holed.
: There are many gotta's in redundant IPsec GW design especially in the hub
: site, you should troubleshoot to see why IPsec SA with the first peer failed
: , removing the first peer will temporarily resolve your problem, but you are
: losing redundancy, which is against the original design goal.
| he
发帖数: 2025 | 4 多面手三王V5!
IPsec
failed
are
【在 s*****g 的大作中提到】
: Mostly the first IKE SA is up, and IPsec SA of first peer's life time did
: not expire yet (no DPD configured?), so traffic is being sent to that IPsec
: SA and got black holed.
: There are many gotta's in redundant IPsec GW design especially in the hub
: site, you should troubleshoot to see why IPsec SA with the first peer failed
: , removing the first peer will temporarily resolve your problem, but you are
: losing redundancy, which is against the original design goal.
| m**t
发帖数: 1292 | 5 IPsec itself does not provide redundancy, what level redundancy you refer to
?
IPsec
failed
are
【在 s*****g 的大作中提到】
: Mostly the first IKE SA is up, and IPsec SA of first peer's life time did
: not expire yet (no DPD configured?), so traffic is being sent to that IPsec
: SA and got black holed.
: There are many gotta's in redundant IPsec GW design especially in the hub
: site, you should troubleshoot to see why IPsec SA with the first peer failed
: , removing the first peer will temporarily resolve your problem, but you are
: losing redundancy, which is against the original design goal.
| n*****2
发帖数: 38 | 6 i think 5 lou is correct, you need special hardware to do the redundancy. | s*****g
发帖数: 1055 | 7 Redundant IPSec gateway for the same peer, look at LZ's post. The
configuration can be as simple as configuring two IKE peers on spoke to
protect the same pairs of "interesting" traffic, on the hub side use SSO/
HSRP to achieve stateful IPsec fail-over.
to
【在 m**t 的大作中提到】
: IPsec itself does not provide redundancy, what level redundancy you refer to
: ?
:
: IPsec
: failed
: are
| m**t
发帖数: 1292 | 8 如果是IKEv1, IPsec 的 peers IP/GateWay IP 不可变化,否则需要新的TUNNEL. 你说
的这个, 可能有有几种scenarios, 因为对CISCO 的CLI 没什么感觉,所以不确定
1. SPOKE端是两个GATEWAY IPs, 跟DPD 一起用, IP1 fail 后,使用IP2 做IKE重新建
立TUNNEL。
2. 如果是IKEv2, 或者是好像思科搞过一个过渡的东西, 可以不需要新的IKE,制作
个SA_UPDATE 更新GATEWAY IP。 这种算是STATEFUL 的
3. 条件允许,两端应该都可以做HRSP/SSO 把IP take over,在做个SA backup 就好了
【在 s*****g 的大作中提到】
: Redundant IPSec gateway for the same peer, look at LZ's post. The
: configuration can be as simple as configuring two IKE peers on spoke to
: protect the same pairs of "interesting" traffic, on the hub side use SSO/
: HSRP to achieve stateful IPsec fail-over.
:
: to
|
|
