Site to Site Connectivity

Answered Question
Jun 29th, 2009

Hi,

I'm in the process of connecting up 2 of our offices. Both sites currently have a 10Mb leased line and a basic ADSL connection for backup. I will be using a Cisco 1812 at each site for the leased lines and a Cisco 877 for the ADSL lines. I will be using Cisco's tunnel interfaces in ipsec mode (rather than GRE mode). I appreciate I could use GRE multipoint interfaces to reduce some of the config, but I've decided ipsec interfaces will be better due to greater control over ospf routing as well as reduced ipsec config. I've attached a diagram of the proposed setup. In this design there will be 4 ipsec tunnels each with a /30 subnet. I will be running OSPF between the routers and will assign the relevant costs to the interfaces to get the desired routing.

Based on the attached diagram is this a sensible design?

Sample Config:

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key mykey address x.x.x.x no-xauth

crypto isakmp key mykey address x.x.x.x no-xauth

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile ipsec_profile

set transform-set ESP-3DES-SHA

!

interface Tunnel0

ip address 10.255.255.250 255.255.255.252

keepalive 5 3

tunnel source x.x.x.x

tunnel destination x.x.x.x

tunnel mode ipsec ipv4

tunnel protection ipsec profile ipsec_profile

!

interface Tunnel0

ip address 10.255.255.250 255.255.255.252

keepalive 5 3

tunnel source x.x.x.x

tunnel destination x.x.x.x

tunnel mode ipsec ipv4

tunnel protection ipsec profile ipsec_profile

Thanks

I have this problem too.
0 votes
Correct Answer by Laurent Aubert about 7 years 5 months ago

Yes, you can use the crypto isakmp keepalive 10 but it will take more time than OSPF to detect its neighbor is dead.

HTH

Laurent.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Laurent Aubert Mon, 06/29/2009 - 18:39

Hi,

Keepalive is not supported, you need to configure ISAKMP keepalive instead. As you are using an IGP, you don't need it anyway.

To improve HSRP convergence, you could track your OSPF route or even run OSPF on the LAN.

HTH

Laurent.

bjssccouser Tue, 06/30/2009 - 00:04

Thank you for your comment. At Site B there is no layer 3 switch, hence the reason for using HSRP. I was really only interested in keepalives on the Tunnel interfaces at Site B for the purposes of tracking the interfaces using HSRP.

So based on your comment, if I replace the tunnel interface keepalives with a 'crypto isakmp keepalive 10', the tunnel interfaces will report as being down if the tunel is down? If this is not the case then I suppose I will need to setup object tracking for IP routing.

I forgot to mention in my original post, that the 2 routers will also provide general intternet connectivity for the 2 sites.

Thanks

Correct Answer
Laurent Aubert Tue, 06/30/2009 - 10:55

Yes, you can use the crypto isakmp keepalive 10 but it will take more time than OSPF to detect its neighbor is dead.

HTH

Laurent.

Leo Laohoo Mon, 06/29/2009 - 18:51

Hmmm ... 10 Mbps right?

Depending on your IOS and feature, the default tunnel interface bandwidth (transmit and receive) is 8Mbps.

interface tunnel 0

tunnel bandwidth receive

tunnel bandwidth transmit

Hope this helps.

bjssccouser Tue, 06/30/2009 - 00:06

Hi, I forgot to mention that these routers will also provide general internet connectivity and not just site to site connectivity. I was aware of the 8Mbps limit on tunnel interfaces, which is more than sufficient for our environment.

Thanks

Joseph W. Doherty Tue, 06/30/2009 - 04:47

On the issue of HSRP at site B, it's really only necessary for site B router, or its LAN interface, failure. Assuming the two site B routers OSPF peer, and they "know" the other router's routes, OSPF will reroute traffic from the primary gateway router to the secondary path. Certainly HSRP tracking can move the gateway to avoid an extra hop, but also assuming the Site B routers LAN interfaces have (much) more bandwidth than the WAN, the extra router hop (during primary path failure) shouldn't be too much of a concern.

In a later post you mention these routers also support the Internet. In that case, you might want to consider making one the primary path for internal traffic and the other the primary path for Internet traffic. This allows you the option to manage internal path bandwidth since, excluding one path's failure, you'll have deterministic available bandwidth for internal usage.

For such a setup, you could continue to use HSRP at site B, and one type of traffic will normally get an extra hop, or if site B routers support it, use GLBP and half of traffic would get an extra hop. Also if device supported, best option might be mHSRP so that traffic would be redirected to best virtual gateway.

PS:

BTW, when working with your tunnels, highly recommend, if device supported, the mss adjust command. You'll also want to insure PMTUD is working correctly.

Actions

This Discussion