I have two 3448's, both now have two internet connections and two vlans. Each vlan uses a different WAN threw PBR and that is working. I have two VPN tunnels, one for each vlan going over each a different WAN. The first VPN for the Voice vlan 110 that is using the main WAN on each side works, the second VPN for the vlan 100 will not come up. I have the settings for the tunnel the same for both, but even when I try to ping to initiate the tunnel just like it did for the first tunnel I get nothing. I did a debug crypto on all the sub elements and nothing displays, unlike the other one, there is no attempt to get the tunnel up. Because I am using PBR for the WAN on vlan 100 is there something more I have to do? Here is the config -
!
! ADTRAN, Inc. OS version R10.6.0.E
! Boot ROM version 13.03.00.SB
! Platform: NetVanta 3448, part number 1200821E1
! Serial number LBADTN1340AR588
!
!
hostname "NV3448-BRD"
!
clock timezone -6-Central-Time
!
ip subnet-zero
ip classless
ip default-gateway 123.123.12.165
ip routing
ipv6 unicast-routing
!
!
name-server 4.2.2.2 8.8.8.8
!
ip local policy route-map DATA-Map
!
no auto-config
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
service password-encryption
!
banner motd #
#
!
!
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
no dot11ap access-point-control
!
ip dhcp database local
ip dhcp excluded-address 172.16.10.1 172.16.10.49
ip dhcp excluded-address 192.168.1.1 192.168.1.199
!
ip dhcp pool "Data"
network 192.168.1.0 255.255.255.0
dns-server 4.2.2.2 8.8.8.8
default-router 192.168.1.1
!
ip dhcp pool "Voice"
network 172.16.10.0 255.255.255.0
dns-server 4.2.2.2 8.8.8.8
default-router 172.16.10.2
!
ip crypto
!
crypto ike policy 100
initiate main
respond anymode
local-id address 123.123.12.166
peer 44.44.1.178
attribute 1
encryption 3des
hash md5
authentication pre-share
!
crypto ike policy 101
initiate main
respond anymode
local-id address 123.123.112.146
peer 99.99.99.99
attribute 1
encryption 3des
hash md5
authentication pre-share
!
crypto ike remote-id address 44.44.1.178 preshared-key pppppppp ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
crypto ike remote-id address 99.99.99.99 preshared-key pppppppp ike-policy 101 crypto map VPN1 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
mode tunnel
!
crypto map VPN 10 ipsec-ike
description Janesville Voice
match address VPN-10-vpn-selectors
set peer 44.44.1.178
set transform-set esp-3des-esp-md5-hmac
ike-policy 100
!
crypto map VPN1 10 ipsec-ike
description Janesville Data
match address VPN1-10-vpn-selectors
set peer 99.99.99.99
set transform-set esp-3des-esp-md5-hmac
ike-policy 101
!
!
!
!
vlan 1
name "Default"
!
vlan 100
name "Data"
!
vlan 110
name "Voice"
!
!
!
no ethernet cfm
!
interface eth 0/1
description Charter WAN
ip address 123.123.12.166 255.255.255.252
ip mtu 1500
ip access-policy Public1
crypto map VPN
no shutdown
!
!
interface eth 0/2
description Charter WAN
ip address 123.123.112.146 255.255.255.252
ip mtu 1500
ip access-policy Public2
crypto map VPN1
no shutdown
!
!
!
interface switchport 0/1
description Link to Switch
spanning-tree edgeport
no shutdown
switchport mode trunk
switchport trunk native vlan 100
!
interface switchport 0/2
description Audiocodes
spanning-tree edgeport
no shutdown
switchport access vlan 110
qos default-cos 7
!
interface switchport 0/3
spanning-tree edgeport
no shutdown
switchport mode trunk
switchport trunk native vlan 100
!
interface switchport 0/4
spanning-tree edgeport
no shutdown
switchport mode trunk
switchport trunk native vlan 100
!
interface switchport 0/5
spanning-tree edgeport
no shutdown
switchport mode trunk
switchport trunk native vlan 100
!
interface switchport 0/6
spanning-tree edgeport
no shutdown
switchport mode trunk
switchport trunk native vlan 100
!
interface switchport 0/7
spanning-tree edgeport
no shutdown
switchport mode trunk
switchport trunk native vlan 100
!
interface switchport 0/8
spanning-tree edgeport
no shutdown
switchport mode trunk
switchport trunk native vlan 100
!
!
!
interface vlan 1
no ip address
shutdown
!
interface vlan 100
description Data
ip address 192.168.1.2 255.255.255.0
no ip proxy-arp
ip policy route-map DATA-Map
ip mtu 1500
ip access-policy Private
no rtp quality-monitoring
no awcp
no shutdown
!
interface vlan 110
description Voice
ip address 172.16.10.2 255.255.255.0
no ip proxy-arp
ip mtu 1500
ip access-policy Private
no rtp quality-monitoring
no awcp
no shutdown
!
!
!
!
route-map DATA-Map permit 10
match ip address DataInt
set ip next-hop 123.123.112.145
!
!
!
!
ip access-list extended DataInt
deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255 log
deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 log
deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255 log
deny ip 192.168.0.0 0.0.0.255 172.16.10.0 0.0.0.255 log
deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 log
deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 log
deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255 log
deny ip 192.168.1.0 0.0.0.255 172.16.10.0 0.0.0.255 log
deny ip 172.16.0.0 0.0.0.255 172.16.0.0 0.0.0.255 log
deny ip 172.16.0.0 0.0.0.255 172.16.10.0 0.0.0.255 log
deny ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255 log
deny ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255 log
deny ip 172.16.10.0 0.0.0.255 172.16.0.0 0.0.0.255 log
deny ip 172.16.10.0 0.0.0.255 172.16.10.0 0.0.0.255 log
deny ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.0.255 log
deny ip 172.16.10.0 0.0.0.255 192.168.1.0 0.0.0.255 log
permit ip any any log
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended VPN-10-vpn-selectors
permit ip 172.16.10.0 0.0.0.255 172.16.0.0 0.0.0.255
!
ip access-list extended VPN1-10-vpn-selectors
permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
!
ip access-list extended web-acl-6
remark NAT Public 1
permit ip any any log
!
ip access-list extended web-acl-7
remark NAT Public 2
permit ip any any log
!
ip policy-class Private
allow list VPN1-10-vpn-selectors stateless
allow list VPN-10-vpn-selectors stateless
allow list self self
nat source list web-acl-6 interface eth 0/1 overload policy Public1
nat source list web-acl-7 interface eth 0/2 overload policy Public2
!
ip policy-class Public1
allow reverse list VPN-10-vpn-selectors stateless
!
ip policy-class Public2
allow reverse list VPN1-10-vpn-selectors stateless
!
ip route 0.0.0.0 0.0.0.0 123.123.12.165
ip route 0.0.0.0 0.0.0.0 123.123.112.145 5
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
ip sip udp 5060
ip sip tcp 5060
!
I know this is a year old, but did you get this to work? I am about to implement this same exact scenario - my config is almost identical to yours, so I'm guessing I will have the same problem.
If you use the same config as the one posted, it will not work.
There should be a dedicated static route for the 2nd VPN if you want both tunnels up at the same time. Just because the crypto map is on the 2nd WAN interface doesn't mean the router will forward packets to the destination out that interface. You can use a PBR for this, but it must be used as the global policy and not be attached to an interface, as that will only apply the policy to packets matched coming into that interface.
You will also need a static route or PBR for the LOCAL traffic that is supposed to traverse the VPN, so that each network goes out the correct tunnel.
So in general terms.
**ROUTES**
0.0.0.0 0.0.0.0 gateway1
0.0.0.0 0.0.0.0 gateway2 5 (weighted for failover, presumably. This could be better done through the WLR features of the router, using a track. The primary route only goes away if the interface goes down configured this way).
VPN#1.DEST.IP 255.255.255.255 gateway1
VPN#2.DEST.IP 255.255.255.255 gateway2
172.16.0.0 255.255.255.0 gateway1 (this forces traffic to that interface and it will be matched by the crypto policy so it doesn't go public)
192.168.0.0 255.255.255.0 gateway2 (this forces traffic to that interface and it will be matched by the crypto policy so it doesn't go public)