Redundant IPSec VPN configuration

Unanswered Question
Sep 16th, 2008
User Badges:

I need to validate something or know of any good configuration to do this.


I have a Cisco 1800 Series router that has a T1 module (primary) and a DSL connection (Secondary) connected to one of the ethernet ports.


We have a VPN tunnel established with one site. I want the ability that if the T1 fails and fails over to the DSL the VPN will fail over to. I know there be some delay in order for the VPN to be reestablished.


What would be the best way to do this.


Any config examples and related URLs would be great.


Here is what my came up with and thought there may be another way, better way to do this:


crypto isakmp policy 10

encryption 3des

authentication pre-share


crypto ipsec transform-set 3des-set esp-3des esp-sha-hmac




crypto isakmp key cisco123 address 1.1.1.1


crypto map cm1 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set 3des-set

match address 112




crypto isakmp key cisco123 address 2.2.2.1


crypto map cm2 10 ipsec-isakmp

set peer 2.2.2.1

set transform-set 3des-set

match address 112




interface serial0

desc Primary: T1

ip address 1.1.1.2 255.255.255.252

crypto map cm1



interface ethernet1

desc Secondary: DSL

ip address 2.2.2.2 255.255.255.252

crypto map cm2



interface ethernet0

ip address 192.168.1.1 255.255.255.0




ip sla monitor 1

type echo protocol ipIcmpEcho 1.1.1.1

ip sla monitor schedule 1 life forever start-time now


track 123 rtr 1 reachability


ip route 0.0.0.0 0.0.0.0 1.1.1.1 track 123

ip route 0.0.0.0 0.0.0.0 2.2.2.1 254


ip route 192.168.2.0 255.255.255.0 serial0 track 123

ip route 192.168.2.0 255.255.255.0 ethernet1 254



access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 111 permit ip 192.168.1.0 0.0.0.255 any


access-list 112 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Istvan_Rabai Tue, 09/16/2008 - 18:25
User Badges:
  • Gold, 750 points or more

Hi Rashida,


Another way could be using a routing protocol over GRE/IPSec tunnels.


You could inject default routes from the remote routers into the local 1800 series router on different costs, giving less cost to the preferred connection.


Then the routing protocol keepalive mechanism would take care of checking the connection workability.


In case of failure of the primary link or the respective remote router, the local routing protocol would switch over to the secondary default route through the alternative link.


One additional advantage of this is that if you increase the number of your local subnets, your routing protocol takes care of advertising those subnets into the remote headend routers.


Disadvantage is that you have to configure GRE tunnels that also increases the packet size by 24 bytes (GRE packet overhead).


Cheers:

Istvan



ryabutler Wed, 09/17/2008 - 10:41
User Badges:

Thanks for the response Istvan. I actually didn't write-up the config correctly.


What I meant to say was the main site has two Internet connections terminating to the same router. The remote site only has one connection. The VPN would need to be established through the Primary and if the Primary fails reestablished through the secondary link. It seems DMVPN would be better solution and require some hardware changes.



That solution you mentioned would work, but the issue is I can only not active default gateway on the router thus only one VPN tunnel would exist unless I implement a Dual-Tier/Cloud DMVPN network using two routers which seems to be the better option.


Thanks again

Actions

This Discussion