Static Routing over VPN

Unanswered Question
Sep 18th, 2007
User Badges:
  • Bronze, 100 points or more

I have a 7206 router with an ISA VPN card in it. I want to use a static route to point traffic at a particular VPN.

The interface that all of the VPNs terminate on is fa0/0, it has the outside IP that the remote PIX501s negotiate isakmp etc with.


I'm trying to troubleshoot an issue, but would like to clarify one thing before I move on.

If I just point the static route at the interface, will the router pick the correct VPN to put the traffic onto? How does it know? Does it go through all the IPSEC SAs and determine which one to put the traffic into?


Setup:

Internal network > 7206 (VPN>>) > internet > (<<VPN)pix501 > 10.1.1.0

Example:

I want to put in a static saying that if the primary routes to this subnet disappear, use this static (VPN is being used as a backup in this case).

Would the following route work? This route will be redistributed to the rest of my internal network.

ip route 10.1.1.0 255.255.255.0 fa0/0 200


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
guibarati Tue, 09/25/2007 - 12:02
User Badges:
  • Bronze, 100 points or more

The route pointing to the interface works only when the interface has a /30 mask then the interface has one ip then it leaves only one IP free for the gateway as the network support only 2 hosts.


If you have a router to other interface that is not the fa 0/0 with a lower cost it will go there first if it's down it will go through the fa0/0 and if you have the properly configured crypto acl it will criptograph it and send. the problem with this is when one side "think" the interface is down, and the other side thinks it's up so you will need some routing protocol on it of manual changing when the link goes down

rtjensen4 Tue, 09/25/2007 - 13:30
User Badges:
  • Bronze, 100 points or more

I have rewritten my original post, to make it a bit more clear and created a graphic. :

Hi all,

I have a situation where I need to implement a backup solution over an internet VPN. The site has a T1 coming into a 7206 on my internal LAN (Router 1). Please see the atttached graphic. When this T1 fails, the remote site router sends it's traffic to a PIX501 to initiate a VPN over the internet to a different 7206 on my internal network (Router 2). The 7206 that that the VPN terminates on has the VPN ISA card and uses a dynamic crypto map to act as a concentration point for many other VPNs.


The internal network runs EIGRP as well as my remote router.

I believe I have this solution setup correctly, but am not 100% certain and would like some reassurance. On the remote site router, when the primary T1 fails, the EIGRP routes will fall out, and a floating static default will kick in:

ip route 0.0.0.0 0.0.0.0 10.250.38.2 250

Causing all traffic to be sent to the PIX and across the VPN tunnel (PIX is configured to encrypt any traffic it sees).


On Router 2 on my internal network, I have put in an floating static saying:

ip route 10.250.38.0 255.255.255.0 fa0/0 250

To get to this subnet, send it out fa0/0. Fa0/0 is the external interface where all the crypto sas etc are done. So, when the T1 into Router 1 goes down, EIGRP will flush out the routes to 10.250.38.0, and Router 2 will put in and redistribute the above route to my internal network.


Does this look like it should work?



Attachment: 
JOHN SHOEMAKER Fri, 05/02/2008 - 11:48
User Badges:

Did you find a solution for this scenario? I have a very similar setup, and I would like to find a decent way to backup my frame network.

Actions

This Discussion