Topic: Second VPN tunnel

[deanb]

Hello..

Currently i have this situation: each remote VPN site has default route through tunnel interface 0.0.0.0/0 tunnel.1. So all traffic is routed through one point (vpn-center) out to the internet and all traffic between sites is routed through vpn-center (MPLS).

It possible to create second VPN tunnel between two sites so (vpn r3 & vpn r4) traffic will not go through vpncenter.




I'll add secondary IP on trust interface in order to separate network.

site vpn3
primary ip 192.168.5.1/24
secondary ip 10.1.1.1/24
adding static dst route 192.168.1.0/24 goes through tunnel.1
adding static dst route 10.1.2.0/24 goes through tunnel.2

site vpn4
primary ip 192.168.3.1/24
secondary ip 10.1.2.1/24
adding static dst route 192.168.1.0/24 goes through tunnel.1
adding static dst route 10.1.1.0/24 goes through tunnel.2

the 192.168.1.0/24 is my vpncenter.

Will this work?

[kontra]

This might sound like a stupid question.  But can you get give more detail on the links between sites?
 or are the sites only connect at Provider L3 MPLS ?  Because if so the provider should be able to configure LSP between the sites for you .  besides just having one LSP for the VPN Center and another for internet.

Also besides all that your configuration looks good you want just need to setup the phase 1 and phase 2 .

[marty]

Your VPN should work there does not seem to be any issue in it not working.

[deanb]

Hi

finally i found some time...The VPN goes up, traffic goes only one way.

Pinging to remote site 20.1.2.2...Traffic goes through.

****** 28578.0: <Trust/trust> packet received [128]******
  ipid = 1717(06b5), @0366b6d0
  packet passed sanity check.
  trust:20.1.2.2/1024->192.168.3.1/13164,1(0/0)<Root>
  existing session found. sess token 2
  flow got session.
  flow session id 1305
  prepare route
  search route to (20.1.2.2->192.168.3.1) in vr trust-vr for vsd-0/flag-3000/ifp
-tunnel.2
 no route to (20.1.2.2->192.168.3.1) in vr trust-vr/0
  post addr xlation: 20.1.2.2->192.168.3.1.
  going into tunnel 40000006.
  flow_encrypt: pipeline.
chip info: PIO. Tunnel id 00000006
(vn2)  doing ESP encryption and size =136
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec encrypt engine released
ipsec encrypt done
        put packet(382d618) into flush queue.
        remove packet(382d618) out from flush queue.
        put packet(382d618) into flush queue.
        remove packet(382d618) out from flush queue.
--- more ---

Pinging from remote site 20.1.3.2..Traffic does not go through.

****** 19678.0: <Trust/trust> packet received [128]******
  ipid = 9224(2408), @0363c3f0
  packet passed sanity check.
  trust:20.1.3.2/1024->192.168.5.1/4064,1(0/0)<Root>
  existing session found. sess token 2
  flow got session.
  flow session id 1096
  prepare route
  search route to (20.1.3.2->192.168.5.1) in vr trust-vr for vsd-0/flag-2000/ifp
-tunnel.2
  route 192.168.5.1->0.0.0.0, to tunnel.1
  dynamic route from tunnel 40000003## 22:27:07 : NHTB entry search no found: vp
n none tif tunnel.1 nexthop 192.168.5.1
 to 40000001.
  route to 192.168.5.1
 going to into tunnel.
  post addr xlation: 20.1.3.2->192.168.5.1.
  going into tunnel 40000001.
  flow_encrypt: pipeline.
chip info: PIO. Tunnel id 00000001
(vn2)  doing ESP encryption and size =136
ipsec encrypt prepare engine done
ipsec encrypt set engine done
chip info: PIO. Tunnel id 00000001
(vn2)  doing ESP encryption and size =136
ipsec encrypt prepare engine done
ipsec encrypt set engine done
--- more ---
ipsec encrypt engine released
ipsec encrypt done
        put packet(3808e38) into flush queue.
        remove packet(3808e38) out from flush queue.

I think that there is a routing problem. Traffic goes from Site B to Site A through tunnel.1 interface and not through tunnel.2:

..going to into tunnel.
  post addr xlation: 20.1.3.2->192.168.5.1.
  going into tunnel 40000001...

I'm using multiple vr's (untrust-vr/untrust zone, trust-vr/trustz one). The route table looks like this

site A
untrust-vr
1.1.1.253/30 -untrust int
0.0.0.0/0 - gw 1.1.1.254

trust-vr
192.168.3.1/24 - trust int
0.0.0.0/0 - gw tunnel.1
20.1.3.1/29 - trust int
20.1.2.0/29 - tunnel.2

and site B
untrust-vr
1.2.1.1/30 - untrust int
0.0.0.0/0 - gw 1.2.1.2

trust-vr
192.168.5.1/24 - trust int
0.0.0.0/0 - gw tunnel.1
20.1.2.1/29 - trust int
20.1.3.0/29 - tunnel.2

Tunnel id 00000006 is my vpn_test and tunnel id 00000001 is my primary tunnel to the center.