Eudemon1000E - Multiple IKE Peers

Created: Feb 25, 2020 17:04:46Latest reply: Feb 29, 2020 00:54:15 118 8 0 0
  Rewarded HiCoins: 0 (problem resolved)

Hi Team, 

Following is the IPsec config I have on Eudemon1000E.

I want to add another Peer for failover purposes but I can't add another "remote-address" under the same ike peer as it will replace the existing peer. But I can do this on a ASR1200 router.


What I'm thinking of doing is to create another ike peer with the failover IP and call it under the current IPSec Policy. 


Current Setup


ike proposal 30

 encryption-algorithm aes-cbc 256

 dh group2


ipsec proposal aes-sha1

 esp authentication-algorithm sha1

 esp encryption-algorithm aes 256


ike peer TKT

 pre-shared-key simple TKT2020

 ike-proposal 30

 undo version 2

 remote-address 1.1.1.1  <<<<<<<<<<<<<<<<<<<<< I can't add another remote-address as the current IP will be replaced. 


ipsec policy TKT 1 isakmp

 security acl 3035

 pfs dh-group5

 ike-peer TKT

 alias TKT_1

 proposal aes-sha1

 sa duration time-based 3600


interface Tunnel50

 description TKT

 alias Tunnel50

 ip address unnumbered interface LoopBack10

 tunnel-protocol ipsec

 ipsec policy TKT alone


Proposed Setup


ike proposal 30

 encryption-algorithm aes-cbc 256

 dh group2


ipsec proposal aes-sha1

 esp authentication-algorithm sha1

 esp encryption-algorithm aes 256


ike peer TKT

 pre-shared-key simple TKT2020

 ike-proposal 30

 undo version 2

 remote-address 1.1.1.1   


ike peer TKT2                                                   New Ike Peer

 pre-shared-key simple TKT2020

 ike-proposal 30

 undo version 2

 remote-address 2.2.2.2



ipsec policy TKT 1 isakmp

 security acl 3035

 pfs dh-group5

 ike-peer TKT TKT2                             I'm thinking of calling both the ike peers under the main IPsec policy. Will this work?

 alias TKT_1

 proposal aes-sha1

 sa duration time-based 3600


interface Tunnel50

 description TKT

 alias Tunnel50

 ip address unnumbered interface LoopBack10

 tunnel-protocol ipsec

 ipsec policy TKT alone


=======================================================================


Will this work? What ike peer will the Eudemon1000E use for the primary IPSec? 

I want one ike peer to be used in a given time. Because the second peer is for the backup connection and I don't want to send Ipsec traffic via the second peer while the primary peer is up. 


Please help.




  • x
  • convention:

Featured Answers

Recommended answer

chenhui
Admin Created Feb 26, 2020 02:48:24 Helpful(0) Helpful(0)

  • x
  • convention:

KasunRajapakse
KasunRajapakse Created Feb 27, 2020 09:21:28
Hi @chenhuichenhu,

Any update?

Thanks  
All Answers
chenhui
chenhui Admin Created Feb 26, 2020 02:40:58 Helpful(0) Helpful(0)

Hello @KasunRajapakse,
I think this wouldn't work. How about configure the P2MP IPSec tunnel?
  • x
  • convention:

chenhui
chenhui Admin Created Feb 26, 2020 02:48:24 Helpful(0) Helpful(0)

  • x
  • convention:

KasunRajapakse
KasunRajapakse Created Feb 27, 2020 09:21:28
Hi @chenhuichenhu,

Any update?

Thanks  
KasunRajapakse
KasunRajapakse Created Feb 26, 2020 09:26:03 Helpful(0) Helpful(0)

Hi @chenhuichenhu,

This would require a lot of changes done to my existing config on the firewall. Also will this work since both the destination peers will be online at the same time?
Can you let me know I can accommodate the following script to my config?

[FW_B] ipsec smart-link profile pro1
[FW_B-ipsec-smart-link-profile-pro1] link 1 interface GigabitEthernet 1/0/1 local 1.1.1.1 nexthop 1.1.1.254 remote 3.3.3.3
[FW_B-ipsec-smart-link-profile-pro1] link 2 interface GigabitEthernet 1/0/2 local 2.2.2.2 nexthop 2.2.2.254 remote 3.3.3.3
[FW_B-ipsec-smart-link-profile-pro1] link-quality-detection interval 1 number 10
[FW_B-ipsec-smart-link-profile-pro1] auto-switch cycles 3
[FW_B-ipsec-smart-link-profile-pro1] link-quality-threshold loss 30
[FW_B-ipsec-smart-link-profile-pro1] link-quality-threshold delay 500

==============================
Also what about the "ip-pool" option after "remote-address".
Can we not create an IP POOL with the remote peer IPs and call it under the current ike peer?

[Eudemon1000E-ike-peer-TKT]dis this
09:21:46  2020/02/26
#
ike peer TKT
pre-shared-key ************
ike-proposal 30
undo version 2
remote-address 1.1.1.1
#
return

[Eudemon1000E-ike-peer-TKT]remote-address ?
 X.X.X.X                 Specify the lowest IP address
 authentication-address  Specify the authentication IP address of the peer
 ip-pool                 Specify address pool
 vpn-instance            Specify a VPN-Instance


  • x
  • convention:

KasunRajapakse
KasunRajapakse Created Feb 26, 2020 09:29:27 Helpful(0) Helpful(0)

Also the example you had given doesn't have different peer IPs.
They both have the same remote destination IP (3.3.3.3). But my requirement is different. I want to have 2 remote peers for the same IPsec policy.
URL : https://support.huawei.com/hedex/hdx.do?docid=DOC1100320299&id=sec_eudemon_ag_ipsec_0145_cli&lang=en
  • x
  • convention:

chenhui
chenhui Admin Created Feb 28, 2020 01:43:47 Helpful(0) Helpful(0)

Posted by KasunRajapakse at 2020-02-26 09:29 Also the example you had given doesn't have different peer IPs. They both have the same remote desti ...
So, it is the remote device which have two access points, right?
If so, you can configure two IPSec tunnels on the firewall and switchind between them based on tracking the routes to the remote peer. Please refer https://support.huawei.com/hedex/hdx.do?docid=DOC1100320299&id=dc_cfg_ipsec_example_0019&lang=en
  • x
  • convention:

KasunRajapakse
KasunRajapakse Created Feb 28, 2020 10:54:53 Helpful(0) Helpful(0)

Posted by chenhui at 2020-02-28 01:43 So, it is the remote device which have two access points, right?If so, you can configure two IPSec ...
Hi Chenhui,

Thank you. I saw this last night and was following this approach.
But I have one question.

destination 1.1.3.1 interface GigabitEthernet 1/0/1 next-hop 2.2.2.1

ip route-static 10.1.1.0 255.255.255.0 Tunnel 1 preference 10 track ip-link n1
ip route-static 10.1.1.0 255.255.255.0 Tunnel 2 preference 20

When the primary link comes back online (1.1.3.1 ), will the firewall put traffic back to tunnel 1? Will the first static route be preferred again?
  • x
  • convention:

chenhui
chenhui Admin Created Feb 29, 2020 00:54:15 Helpful(0) Helpful(0)

Posted by KasunRajapakse at 2020-02-28 10:54 Hi Chenhui, Thank you. I saw this last night and was following this approach. But I have one quest ...
Yes, it will.
  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

My Followers

Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login