Dual Homed - IPSEC L2L VPN

Unanswered Question
Oct 25th, 2009
User Badges:

Greetings, we have a client who wishes to terminate 2 DSL links on a 2801 ISR, the client also has a number of remote branch office.

They would like to terminate L2L VPN's on the 2801 for secure site to site connectivity. Branch office routers are all 857 ISR's.

Now ive been juggling with the best way to configure this, normally i wouldnt be concerned but im struggling to take into account the two DSL connections terminated on the same router at the head office.

Option 1: Configure a crypto map on each of the DSL interfaces on the 2801 and run two tunnels to each branch office in combination with static routes. Use PBR to split standard web traffic across the two DSL links.

Option 2: Dedicate one of the DSL interfaces on the 2801 to L2L VPN traffic and use policy based routing to redirect all other traffic out of the second DSL link.

Has anyone had similar experience with a setup like this? I would normally be inclined to run GRE/EIGRP but the 857's only support RIP which i would like to avoid.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Sun, 10/25/2009 - 10:24
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


I am not sure that you can run two IPSec L2L tunnels from the same head end to the same remote router, even if there are two DSL terminations on the head end. I would suggest that you think about running a single tunnel from the 2801 to each remote. If you use a loopback interface as the peering interface or use the inward facing interface as the peering interface I believe that it could work and could use either of the DSL links to reach the remote router (assuming that you can make the head end peering address reachable through both of the DSL links).




This Discussion