Redundant VPN Connection & Routing

Unanswered Question
Jun 4th, 2008
User Badges:

We have a remote site with a T1 connection and a backup DSL line. On the DSL line, I would like to place an ASA 5505 with an "always-on" LAN-to-LAN tunnel back to our network. Of course, this would be so that if the T1 circuit failed, it would failover to the VPN tunnel over the DSL line. My question: Since the VPN Concentrator at the main site does not support EIGRP (used across the LAN/WAN), how do I configure routing at the main site to allow for this "failover"?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sdoremus33 Wed, 06/04/2008 - 09:09
User Badges:
  • Bronze, 100 points or more

When you say the VPN concentrator will not support EIGRP RP, what if you set up a GRE tunell from remote site to your LAN. Just a suggestion. HTH

Richard Burts Wed, 06/04/2008 - 09:15
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


How to do this would depend somewhat on the topology of the network at the main site. Would I be correct in assuming that the interface at the main site that would be running the IPSec VPN would be different from the interface that is receiving the T1 from the remote? If so then EIGRP over the T1 will know if the T1 is working or not and if it is not then the route to the remote site over the T1 would be withdrawn from the routing table. If you had a floating static route configured it could point to the remote site through the interface running IPSec and with the crypto map that would recognize the traffic to the remote and process it through IPSec.

So a floating static route at the main site showing the remote as reachable through the IPSec interface would be the simple solution. If the topology is different then we may need to look for a different solution.

[edit] I realize that I slightly misunderstood the original post. I assumed that you would run IPSec VPN from the router that receives the T1 from the remote. I now see that you are talking about a VPN concentrator for site to site. I think most of my answer is still appropriate. A floating static route should work, but instead of my suggestion about the interface which processes IPSec the floating static would point to the interface which leads to the concentrator.



sometechguy Thu, 06/05/2008 - 07:19
User Badges:

Thank you for the quick response.

The topology is as follows:

CoreRouterA <-> CoreRouterB

CoreRouterA -> VPN Concentrator

CoreRouterB -> RouterC

RouterC ->T1 RemoteSite

VPN Concentrator ->IPSEC Remote Site

Make sense?


This Discussion