Redundant link over VPN

Unanswered Question
May 17th, 2007
User Badges:

Hi,

Can anyone point me to an example of what we want to acheive.


We have a site to site wireless link that we want to implment a backup solution if the wireless goes down. The idea is to use ADSL site to site VPN over the Internet.


I am stuck for ideas on how to do this and have tried it in a lab but can not get traffic to pass through the tunnel. I have setup site to site before but this is different. Should we be using a routing protocol, or will secondary routes do the trick.


There must be some configs on Cisco's web site but I can not find it.


We have two 1801s with ADSL interfaces in them and the idea was to plug the bridges in to the WAN FE0.


Any suggestions would help.

Thanks

Scotty

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
spremkumar Fri, 05/18/2007 - 03:31
User Badges:
  • Red, 2250 points or more

Hi


Can you post the config here ?


if you are having your primary link connected on the ethernet interface then you need to run additional tracking mechanism to detect the failure and make your secondary path to carry the traffic..


regds


scottyd Fri, 05/18/2007 - 04:00
User Badges:

Hi,

Thanks for looking at this for me. I am really stuck.


I have tried using RIP and then a floating static route.


The senario is that I want to connect two sites with a wireless link and have a back up via VPN over ADSL. I have setup the routers so that fe0 on each router are plugged in to gether as if they had a wireless bridge each. Because I am in a lab and don't have two adsl lines to test I have setup vlans on the switches with a hub in between.


The problem now is that the traffic goes over the the fe 0 links but I still see traffic being decryped by the VPN, but not encryped. This happens after I shut down the fe 0 and it fails over to the VPN. The VPN works fine, but it is not failing back properly. If I shut down vlan7 then it breaks the traffic somehow.


I have attached both configs and also the output from show crypto ipsec sa.


ANy input would be greatly appreciated.

Scotty



Attachment: 

Hello.


Is there only the two sites?


Based on the configurations, which I hope i read correctly, you want to route the 192.168.x.x networks over one link (wireless) and should the link fail use the other path.


There are a number of ways to achieve this.


You could simply (based on your lab) have a default route pointing down the redundant path. If RIP lost the route then it would route accordingly.


In these types of scenarios, using policy routing on your vlan interfaces you can dictate very well the next hop.


I had something similar whereby i had a distribute list for rip allowing routes out the primary link but not the secondary.


The secondary link only advertised the address for the VPN peer.


I then used policy routing to direct my traffic based on not seeing the route via RIP.


refer to

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00801f3b54.shtml


I really like this for simple environments.


Hope that helps.

scottyd Thu, 05/24/2007 - 17:20
User Badges:

Hi,

Thanks for that information.

Actually I want to route the 10.1.1.x and 10.24.1.x networks.

I think I have done it though, using OSPF.

I found that with RIP, it was not working right unless the interface went down. With OSPF it takes ten seconds to fail over to the VPN (over the Vlans).

However I can see how policy based routing can be used with a quicker failover, and I may end up using it in the live environment.

Thanks again.

Actions

This Discussion