cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
329
Views
0
Helpful
5
Replies

Redundant VPN?

dmurray14
Level 1
Level 1

Hi all,

Tried to post a similar question a few days ago but I don't think it went through. I have an ASA5510, also have a 2851 with 3 multilinked T1's, and a T1 from a separate provider on a 1700. What I would like to do is have the extra T1 as a failover for the multilinked T1's in the (unfortunately rather common) case that they go down.

From what I've read I could do this simply by having the extra T1 on a separate interface and adding an ip route 0.0.0.0 0.0.0.0 with that IP and a higher priority.

However, I also run a vpn tunnel to our datacenter, and I would like this to failover as well on the backup T1.

From what I've read it seems possible to do this with a loopback interface, though I have no clue how to set that up.

Any assistance is much appreciated!

Thanks,

Dan

5 Replies 5

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Dan,

you should need to do the following:

use GRE tunnels inside IPSec

you build two GRE tunnels : the first travel inside the primary link/IPSec SA, the second inside the secondary link /IPSec SA

the two IPSec SA need to use different IP endpoints.

Using GRE allow you to run a routing protocol inside the tunnels so that a router inside the ASA can use the secondary GRE when the adjacency (typically EIGRP or OSPF are used).

But this would work if there is another router internal to ASA.

However you need two different IP endpoints: one the current one that is routable via primary ISP on the 3T1 bundle, the second that is routable via the backup T1.

The devices that could this job better are the two external routers themselves if they have a common segment they could run the same routing protocol used over the GRE tunnels.

In this way the ASA would be just the firewall with no involvement in routing.

I'm not an expert on ASA so my suggestions are more router focused.

Hope to help

Giuseppe

Giuseppe,

Thanks for the help. Not quite sure I get it though. I found the following article, which unfortunately doesn't make complete sense to me, but at least the concept seems right. Could I do it this way?

http://www.wr-mem.com/?p=113

Thanks,

Dan

Hello Dan,

the article explains a possible setup when the border router connecting to two ISPs is only one.

In your case the routers connecting to the two ISPs are different.

You can think to adapt the example using the ASA.

But you need two different endpoints on the ASA side that are routed via the two different ISPs so that the two IPSec SAs can stay up.

Then you need also a way to use the primary until is up.

This is the reason for the suggested GRE tunnels: to have a logical object that can be the next-hop/outgoing interface for traffic, the IPsec crypto is more like an ACL then an interface.

Hope to help

Giuseppe

Giuseppe,

Thanks again for your help. Unfortunately I'm not familiar with GRE, barely with making an IPSec tunnel. Seems if I am going to do this I have some reading to do to catch up on it.

So I could not just have two seperate IPSec tunnels going between the two ASA's? That way I could even load balance maybe?

Thanks again for the help.

Dan

Hello Dan,

the problem of an IPSec only solution is the lack of routing control:

think of IPSec crypto map as equivalent to ACLs : they define what is the interesting traffic to be encrypted.

The interesting traffic is that between internal LAN ip subnets:

you can build a solution where first IPSec SA is used until it is alive. I don't think you can achieve load balancing:

traffic is encrypted over the first IPSec SA and the other one can be up but idle.

If the first SA is broken, you can probably achieve failover over the second SA.

The GRE tunnels allow to have an interface that can be referenced in a routing table and so you can even achieve load-balancing if desired.

But I don't know if ASA can do this.

I see that ASA can be smarter then routers in managing IPSec tunnels : ASA has the concept of tunnel groups.

see

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpngrp.html#wp1113843

see the section

"Configuring LAN-to-LAN Connection Profiles"

But I'm not sure this looks like just to make easy configuration tasks

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco