Unanswered Question
Oct 11th, 2008


How Can I create a ipsec tunnel in multipoint to multi point network for the same source and destination network.






Source is network X and destination is Network Y. R1-R4 is my router.Primary path from NetX to NetY is R1 and R3.If R3 down then the path will be R1 and R4.

If R1 fails the path will be R2 and R3 ,vice versa.

Pls share all your ideas pls.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Istvan_Rabai Sun, 10/12/2008 - 07:43


From your drawing I suppose NetX is a layer2 network and it is served by the default gateways R1 and R2.

Also, I suppose NetY has an edge router that connects it to the ISP.

If this is the case, then you can arrange R1 and R2 in an active-standby configuration using HSRP. Users will send their traffic to the virtual ip address of the HSRP group independently of which router is alive.

You can then esablish 2 different IPSec tunnels (preferably GRE over IPSEC so routing protocols can be carried over the connection):

- from R1 to the NetY edge router

- from R2 to the NetY edge router

With this configuration you will have the necessary failover scenario in place.

Does this answer your question?



NSG_POLARIS Wed, 10/15/2008 - 04:11


NetX and NetY both are Layer3 Networks.

It is a low bandwidth Link.I dont want to increase the packet size with encapsulation. I am expecting somthing to do with ip-sec instead of GRE over ip-sec.

Pls advice.

Istvan_Rabai Wed, 10/15/2008 - 09:58


It's alright, then you just need to create the IPSec tunnel from the NetX low bandwidth interface to the NetY low bandwidth interface.

R1 through R4 will resolve the failover issue if routing is configured properly.

With a pure IPSec tunnel you will need to configure static routes on both NetX and NetY routers pointing to the subnets of the other side respectively.

Can you configure the IPSec tunnel or do you need help in this?

If help is needed then please provide a running-config on both NetX and NetY.




This Discussion