How to load balance between 2 GRE/IPSEC tunnels

Difan Zhao · ‎05-21-2008

I have a Cisco 1811 at a SOHO office. It has 2 router ports and 8 switch ports. Currently one of its 2 router ports is connecting with an ADSL ISP and another one is disabled. A GRE/IPSEC VPN is setup on this Internet connection to the Head Office.

I want to increase the bandwidth between HO and SOHO. It's too expensive to change the existing ADSL to a fiber or wireless high speed. So I want to introduce another ADSL line to another router port. Is that possible to setup another tunnel on the new ADSL and load balance the existing tunnel with the new tunnel? Thanks!

andrew.prince · ‎05-22-2008

I have not tried this - but can't see a reason why not.

You just need to use diff IP addresses for the source/destionation of the tunnels, and point them out of the devices onto the seperate ISP D/G?

Then the ACL for interesting traffic, will fire up that particular tunnel - I would take it a step further and use a dynamic routing protocol, making sure the metrics were equal on both tunnels......hey presto load balenced VPN's!

HTH.

Difan Zhao · ‎05-27-2008

Actually the problem is even before VPN setup...

Let's say two ports have public IP A.A.A.A and B.B.B.B respectively, and their default gateways are A.A.A.1 and B.B.B.1 respectively.

The problem now is that the router only injects one default gateway to its routing table. Let's say it use A.A.A.1 as the default route.

Let's say the HO's IP is C.C.C.C. What happened is for the first tunnel from A.A.A.A to C.C.C.C, it's fine and tunnel can be built without problems. However for the second tunnel from B.B.B.B to C.C.C.C, because the default gateway is still A.A.A.1, the actual tunnel traffic will still go through port#1 A.A.A.A to C.C.C.C, but not through B.B.B.1 directly! Then all the traffic will still use only one port for VPN traffic...