Using a Cisco 877 router with ADSL connectivity, a backup connection is needed. A 3G (cellular) device is available, capable of setting up an IPsec VPN, and offering an ethernet port for connecting the (backup) port of the 877 router.
Neither the ADSL (on the 877 router) nor the cellular (on the 3G device) have fixed IP addresses assigned to them by the ADSL/3G service providers.
The main site has a fixed IP address, both on the connection with the internet as for a (dedicated) connection to the 3G provider.
The purpose is
- create an IPsec VPN on the ADSL interface (over the internet) to the main site
- route all traffic over the IPsec VPN on the ADSL interface
- route all traffic over the ethernet port to the 3G (cellular) device if the main site is not acceaccessible via the ADSL interface.
How can I proceed ?
let's think about the components:
you can use a floating static route for the secondary link
ip route 0.0.0.0 0.0.0.0 Vlan2 200
(this is specific of 877 the usage of SVIs like a switch)
200 is the AD.
the primary default route can be tracked using object tracking.
ip route 0.0.0.0 0.0.0.0 dialer1 track 122
you need a probe and the document describes how to configure it depending on your IOS version.
if the probe or IP SLA fails the primary default route is removed from the routing table.
you can use nat overload combined with a route map that checks the outgoing interface
lan interface 10.10.10.0 /24
! deny traffic that will be sent over
! the ipsec tunnel it doesn't need to be NATTED
access-list 111 deny ip 10.10.10.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 111 permit ip 10.10.10.0 0.0.0.255 any
route-map nat_primary permit 10
match ip address 111
match interface dialer1
route-map nat_secondary permit 10
match ip address 111
match interface Vlan2
you need two statements in global config
ip nat inside source route-map nat_primary overload
ip nat inside source route-map nat_secondary overload
internal lan needs
ip nat inside
external interfaces require
ip nat outside
ipsec you need to configure the crypto map under dialer1
traffic that has to encrypted is the same that is not NATTED
access-list 112 permit ip 10.10.10.0 0.0.0.255 10.0.0.0 0.255.255.255
crypto isakmp policy 10
crypto isakmp key pwd1 address HQ-address1
crypto ipsec transform-set VPN-ADSL esp-3des esp-md5-hmac
crypto map VPN_MAP local-address dialer1
crypto map VPN_MAP 10 ipsec-isakmp
set peer HQ-address1
set transform-set VPN-ADSL
match address 112
this is only a trace for the ipsec part: notice that you probably need a second crypto map for the backup link.
Hope to help