Routing vs IPSEC

Unanswered Question
Aug 29th, 2007
User Badges:


I have a scenario in which I need to configure IPSEC VPN as a failover to the existing MPLS connection between any branch and the HO.

My question is how do I give more priority to the routing traffic and less priority to the VPN traffic. The tunnel will only establish when the MPLS connection fails.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Jon Marshall Wed, 08/29/2007 - 22:32
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


It all depends on your topology. Are you creating the VPN from the same router that connects you to the MPLS network ?

Could you please give a few more details ie. which devices you use, routing protocol in use etc.


sathyahemanth Wed, 08/29/2007 - 22:42
User Badges:

Hi Marshall,

Thanks for the reply.

We have a router at the branch upon which both the MPLS and the internet connections are being terminated.

In case of MPLS failure all the data going out to the internet will be encrypted after the tunnel is formed. Encrypted traffic is sent to the HO from where traffic goes to the servers or the internet.

On the router at the branch we will have to use the static routes and I am not sure as of now which routing protocol the ISP is going to use for connectivity to the HO. It could be the MPLS or the frame-relay.

At the HO client do have a ASA firewall. Upon which both the MPLS/frame-relay and the internet connection terminates.

There could be some 35 to 40 locations connected as the MPLS spokes. And we have to confire IPSEC VPN as the failover to the MPLS connection.



rkazmierczak Thu, 08/30/2007 - 04:14
User Badges:


For MPLS, you will probably have BGP learned routes in the routing table with AD of 20. When the MPLS link fails all these routes will disapear. So you have two options:

1. configure static routes for eeah remote branch with a higher distance poiting to the internet (routers DG)

2. or you could have GRE encrypted tunnels to the branches that would be up all the time and run e.g OSPF over it.

if BGP reoutes are removed the OSPF routes will get installed.

The GRE solution is more probably more elegant, especially now when you can use ipsec profiles instead of full crypto map which for 30 location would be a bit of a pain to configure :)


This Discussion