Redundant IPSec VPN configuration

Unanswered Question
Sep 16th, 2008
User Badges:

I need to validate something or know of any good configuration to do this.

I have a Cisco 1800 Series router that has a T1 module (primary) and a DSL connection (Secondary) connected to one of the ethernet ports.

We have a VPN tunnel established with one site. I want the ability that if the T1 fails and fails over to the DSL the VPN will fail over to. I know there be some delay in order for the VPN to be reestablished.

What would be the best way to do this.

Any config examples and related URLs would be great.

Here is what my came up with and thought there may be another way, better way to do this:

crypto isakmp policy 10

encryption 3des

authentication pre-share

crypto ipsec transform-set 3des-set esp-3des esp-sha-hmac

crypto isakmp key cisco123 address

crypto map cm1 10 ipsec-isakmp

set peer

set transform-set 3des-set

match address 112

crypto isakmp key cisco123 address

crypto map cm2 10 ipsec-isakmp

set peer

set transform-set 3des-set

match address 112

interface serial0

desc Primary: T1

ip address

crypto map cm1

interface ethernet1

desc Secondary: DSL

ip address

crypto map cm2

interface ethernet0

ip address

ip sla monitor 1

type echo protocol ipIcmpEcho

ip sla monitor schedule 1 life forever start-time now

track 123 rtr 1 reachability

ip route track 123

ip route 254

ip route serial0 track 123

ip route ethernet1 254

access-list 111 deny ip

access-list 111 permit ip any

access-list 112 permit ip

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Istvan_Rabai Tue, 09/16/2008 - 18:25
User Badges:
  • Gold, 750 points or more

Hi Rashida,

Another way could be using a routing protocol over GRE/IPSec tunnels.

You could inject default routes from the remote routers into the local 1800 series router on different costs, giving less cost to the preferred connection.

Then the routing protocol keepalive mechanism would take care of checking the connection workability.

In case of failure of the primary link or the respective remote router, the local routing protocol would switch over to the secondary default route through the alternative link.

One additional advantage of this is that if you increase the number of your local subnets, your routing protocol takes care of advertising those subnets into the remote headend routers.

Disadvantage is that you have to configure GRE tunnels that also increases the packet size by 24 bytes (GRE packet overhead).



ryabutler Wed, 09/17/2008 - 10:41
User Badges:

Thanks for the response Istvan. I actually didn't write-up the config correctly.

What I meant to say was the main site has two Internet connections terminating to the same router. The remote site only has one connection. The VPN would need to be established through the Primary and if the Primary fails reestablished through the secondary link. It seems DMVPN would be better solution and require some hardware changes.

That solution you mentioned would work, but the issue is I can only not active default gateway on the router thus only one VPN tunnel would exist unless I implement a Dual-Tier/Cloud DMVPN network using two routers which seems to be the better option.

Thanks again


This Discussion