I think you want the next hop in your route-maps to be 192.168.10.2 and 192.168.20.2 respectively. Send it through the GRE tunnel.
Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -----Original Message----- From: CCNP .CA [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 9:15 AM To: [EMAIL PROTECTED] Subject: IPSEC with 2 ISPs to Single destination [7:74173] Configuration setup. Site to site vpn. /----- ISP 1 R1 -------ISP 2 ISP 3 --- R3 Physical Interfaces: R1 has 2 interfaces connected to 2 ISPs R3 has 1 interface connected to 1 ISP. Logical: R1 has 2 IPSEC encapsulated GRE tunnels to R3. 1 Single Endpoint. R3 has 2 IPSEC encapsulated GRE tunnels to R1. 2 different Endpoints. The problem: Getting R1 to forward IPSEC traffic to separate ISPs according to Source since the destination is the same (R3) I tried routemap (see R1 config) but IPSEC is performed after routemap. The 2 IPSEC tunnel traffic (ie. from 100.100.100.1 to 50.50.50.3 and 200.200.200.1 to 50.50.50.3) both go to one ISP or other if I have default route in there. How do I traffic from 100.100.100.1 to to ISP1, from 200.200.200.1 go to ISP 2. ######### R1 Router. 2 ISP interfaces. 2 Tunnel interfaces. ! version 12.3 ! hostname R1 ! ! ip subnet-zero ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key abc123 address 50.50.50.50 ! ! crypto ipsec transform-set myTrans esp-3des esp-md5-hmac ! crypto map myMap local-address Ethernet1/0 crypto map myMap 1 ipsec-isakmp set peer 50.50.50.3 set transform-set myTrans match address 100 ! crypto map myMap2 local-address Ethernet1/1 crypto map myMap2 1 ipsec-isakmp set peer 50.50.50.3 set transform-set myTrans match address 101 ! ! ! ! interface Loopback0 ip address 192.168.1.1 255.255.255.255 ! interface Tunnel0 ip address 192.168.10.1 255.255.255.0 keepalive 10 3 tunnel source Loopback0 tunnel destination 192.168.1.3 crypto map myMap ! interface Tunnel1 ip address 192.168.20.1 255.255.255.0 keepalive 10 3 tunnel source Loopback0 tunnel destination 192.168.2.3 crypto map myMap2 ! interface Ethernet0/0 description R1 Internal LAN ip address 20.20.20.0 255.255.255.0 half-duplex ! ! interface Ethernet1/0 ip address 100.100.100.1 255.255.255.0 half-duplex crypto map myMap ! interface Ethernet1/1 ip address 200.200.200.1 255.255.255.0 half-duplex crypto map myMap2 ! ip local policy route-map myRoute ! ip classless ip route 10.10.10.0 255.255.255.0 Tunnel0 ip route 10.10.10.0 255.255.255.0 Tunnel1 ip route 10.10.10.0 255.255.255.0 Null0 150 ip route 192.168.1.3 255.255.255.255 Ethernet1/0 ip route 192.168.2.3 255.255.255.255 Ethernet1/1 ! ! access-list 100 permit gre host 192.168.1.1 host 192.168.1.3 access-list 101 permit gre host 192.168.1.1 host 192.168.2.3 ! access-list 188 permit ip host 100.100.100.1 any access-list 199 permit ip host 200.200.200.1 any ! route-map myRoute permit 10 match ip address 188 set ip next-hop 100.100.100.2 ! route-map myRoute permit 20 match ip address 199 set ip next-hop 200.200.200.2 ! ! ! dial-peer cor custom ! ! line con 0 line aux 0 line vty 0 4 no login ! ! end R1# ######### R2 ISP Router -- Simulating ISP connections. version 12.3 ! hostname R2 ! ! ip subnet-zero ! ! interface Ethernet0/0 description to Router R3 ip address 50.50.50.2 255.255.255.0 no ip proxy-arp half-duplex ! interface Ethernet1/0 description to Router 1 E1/0 ip address 100.100.100.2 255.255.255.0 no ip proxy-arp half-duplex ! interface Ethernet1/1 description to Router 1 E1/1 ip address 200.200.200.2 255.255.255.0 no ip proxy-arp half-duplex ! ip classless ! ! ! line con 0 line aux 0 line vty 0 4 end R2# ######### R3 Router - Single ISP connection. Two tunnel interfaces. version 12.3 ! hostname R3 ! ! ip subnet-zero ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key abc123 address 100.100.100.1 crypto isakmp key abc123 address 200.200.200.1 ! ! crypto ipsec transform-set myTrans esp-3des esp-md5-hmac ! crypto map myMap local-address Ethernet1/0 crypto map myMap 10 ipsec-isakmp set peer 100.100.100.1 set transform-set myTrans match address 100 crypto map myMap 20 ipsec-isakmp set peer 200.200.200.1 set transform-set myTrans match address 101 ! ! ! interface Loopback0 ip address 192.168.1.3 255.255.255.255 ! interface Loopback1 ip address 192.168.2.3 255.255.255.255 ! interface Tunnel0 ip address 192.168.10.3 255.255.255.0 keepalive 10 3 tunnel source Loopback0 tunnel destination 192.168.1.1 crypto map myMap ! interface Tunnel1 ip address 192.168.20.3 255.255.255.0 keepalive 10 3 tunnel source Loopback1 tunnel destination 192.168.1.1 crypto map myMap ! interface Ethernet0/0 description to Internal LAN ip address 10.10.10.1 255.255.255.0 half-duplex ! interface Ethernet1/0 ip address 50.50.50.3 255.255.255.0 half-duplex crypto map myMap ! ! ip classless ip route 20.20.20.0 255.255.255.0 Tunnel0 ip route 20.20.20.0 255.255.255.0 Tunnel1 ip route 192.168.1.1 255.255.255.255 Ethernet1/0 ! ! access-list 100 permit gre host 192.168.1.3 host 192.168.1.1 access-list 101 permit gre host 192.168.2.3 host 192.168.1.1 ! ! line con 0 line aux 0 line vty 0 4 ! end R3# ______________________________________________________________________ Post your free ad now! http://personals.yahoo.ca **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74187&t=74173 -------------------------------------------------- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
