How to load balance between 2 GRE/IPSEC tunnels

Unanswered Question
May 21st, 2008
User Badges:

I have a Cisco 1811 at a SOHO office. It has 2 router ports and 8 switch ports. Currently one of its 2 router ports is connecting with an ADSL ISP and another one is disabled. A GRE/IPSEC VPN is setup on this Internet connection to the Head Office.

I want to increase the bandwidth between HO and SOHO. It's too expensive to change the existing ADSL to a fiber or wireless high speed. So I want to introduce another ADSL line to another router port. Is that possible to setup another tunnel on the new ADSL and load balance the existing tunnel with the new tunnel? Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tj.mitchell Wed, 05/21/2008 - 10:11
User Badges:
  • Bronze, 100 points or more

I don't see a reason why not, so long as you are using a routing protocol. Just terminate both GRE tunnels on the same device in the HO and the routes should install in the routing table with the same metrics, thus give you to ways to get there.

I would just watch the metrics to make sure everything is the same.


Difan Zhao Wed, 05/21/2008 - 13:10
User Badges:

That's what I figured too. However 2 ISP use different default gateways and since I am using DHCP for IP address and default gateway and only one default gateway will be injected in the routing table. Then the interface will use this one default gateway to build a tunnel, which means even you ping from another interface, the traffic actually will still go through this one. Then what happened is even there are 2 tunnels the traffic from one tunnel will always go through another one. The problem is actually how interfaces route the packets to build the tunnel at the beginning...

tj.mitchell Wed, 05/21/2008 - 13:16
User Badges:
  • Bronze, 100 points or more

Then static put in the default routes pointing to the interfaces not an IP Address or if they give you a /24 netmask usually ISP's use .1 as their gateway (at least the ones where I live do) and put that in and try, but I would point it to the interface. This will resolve that issue, then you can use IP SLA commands to remove the static route in the event that an ISP drops.


Richard Burts Wed, 05/21/2008 - 18:04
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


I think that you have a bigger problem than what default gateway to use. While Thomas suggestion might work for a GRE tunnel to get 2 tunnels, I believe that it is not possible to establish 2 IPSec sessions that start on one router and terminate on the same remote router.



Difan Zhao Wed, 05/21/2008 - 20:19
User Badges:

Richard, you are everywhere!! Actually that's my second problem. I figured that I can use two seperate tunnels. Two tunnels use different subnets. I can configure two GRe interfaces to have same delay, jitter, etc to make them have same EIGRP metric. Then for the networks behind two routers (ho network and SOHO network), they will have two routes to each other and because they have same metric, then they can load balance the traffic.

However the biggest problem here is:

I can have two public IP addresses on two ports, however all traffic (no matter what the source IP addresses are) will always go to the same default gateway! Because the default gateway will always be in the same subnet with one interface, then guess what, even the traffic generated from another interface will go through this one first! So even you put a GRE tunnel interface upon this interface, the tunnel traffic will still go through another interface.

I am sorry if I still didn't make myself clear... English sometimes is more difficult than Cisco routers.

tj.mitchell Thu, 05/22/2008 - 05:31
User Badges:
  • Bronze, 100 points or more

Sure, why not.. So as you different source interfaces and different destinations. I have done with different loopback address going different directions, both terminating on the same device. You need to make sure that the configuration is correct for this..

Thanks HTH

Difan Zhao Thu, 05/22/2008 - 06:49
User Badges:


Could you give me more details about using loopback interface in this case? For example if two ports have public IP A.A.A.A and B.B.B.B respectively, and the HO has C.C.C.C. How can I setup the lookback address to assit on routing?

I just got this crazy idea, let's say their default gateways are A.A.A.1 and B.B.B.1, respectively, can I put 2 static route:

ip route C.C.C.C A.A.A.1

ip route C.C.C.C B.B.B.1

Will this work? Will two routes be injected into routing table? I will give it a try later today and let you know how it goes. Thanks!

Difan Zhao Wed, 05/21/2008 - 20:10
User Badges:

Hi Thomas

I tried this too... I got their default gateways and I manually input them by using ip route x.x.x.x. Then in the show run I have two default routes however in my routing table, it still only shows me one!! Obviously the router only be able to inject one as default route... By the way, what is SLA? I also heard something called OER which seems can dynamically dispatch traffic. Do you know anything about it? Thanks a lot for your help!

tj.mitchell Tue, 05/27/2008 - 13:00
User Badges:
  • Bronze, 100 points or more

IP SLA is a way of providing an SLA for network traffic or monitoring. It's mainly used for voice for monitoring jitter and such on the network. You can also use it to monitor routing and pull/put static routes in the routing table. It's pretty cool..

As for the route, put the destination IP Address for the IPsec tunnel in the router pointing to the appropriate gateway, then assign the traffic to the IPSec tunnel with the ACL's. Then, point the GRE tunnel destination through the IPSec tunnel with static routes the same way as the IPSec tunnels. You can then use the IP SLA commands to pull the routes out of the table based on availability tracking for redundancy.



pls rate if post is helpful


This Discussion