VPN-tunnel redundancy

Unanswered Question
Oct 26th, 2009
User Badges:

There is two site with 2801/CallManager Express routers. I need to have LAN-2-LAN connection over Eth WAN interfaces.

It is possible to configure two VPN tunnel with redundancy? How to monitor VPN-tunnel state and switch to second tunnel?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jody Lemoine Thu, 10/29/2009 - 11:48
User Badges:
  • Gold, 750 points or more
  • Community Spotlight Award,

    Member's Choice, April 2016

There are a number of ways to go about it, but I would run with two encrypted tunnels and a routing protocol such as EIGRP to balance or provide failover. Something like this would do the trick.


! Router 1

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp key ***** address 3.3.3.2 no-xauth

crypto isakmp key ***** address 4.4.4.2 no-xauth

!

crypto ipsec transform-set TS-AES256SHA1ESP esp-aes 256 esp-sha-hmac

!

crypto ipsec profile VPN

set transform-set TS-AES256SHA1ESP

!

interface FastEthernet0/0

ip address 1.1.1.2 255.255.255.0

!

interface FastEthernet0/1

ip address 2.2.2.2 255.255.255.0

!

interface Loopback0

ip address 10.0.0.1 255.255.255.0

!

interface Tunnel0

ip unnumbered Loopback0

tunnel source FastEthernet0/0

tunnel destination 3.3.3.2

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN

!

interface Tunnel1

ip unnumbered Loopback0

tunnel source FastEthernet0/1

tunnel destination 4.4.4.2

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN

!

router eigrp 10

network 10.0.1.0 0.0.0.255

!

ip route 1.1.1.0 255.255.255.0 3.3.3.1

ip route 2.2.2.0 255.255.255.0 4.4.4.1


! Router 2

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp key ***** address 1.1.1.2 no-xauth

crypto isakmp key ***** address 2.2.2.2 no-xauth

!

crypto ipsec transform-set TS-AES256SHA1ESP esp-aes 256 esp-sha-hmac

!

crypto ipsec profile VPN

set transform-set TS-AES256SHA1ESP

!

interface FastEthernet0/0

ip address 3.3.3.2 255.255.255.0

!

interface FastEthernet0/1

ip address 4.4.4.2 255.255.255.0

!

interface Loopback0

ip address 10.0.1.1 255.255.255.0

!

interface Tunnel0

ip unnumbered Loopback0

tunnel source FastEthernet0/0

tunnel destination 1.1.1.2

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN

!

interface Tunnel1

ip unnumbered Loopback0

tunnel source FastEthernet0/1

tunnel destination 2.2.2.2

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN

!

router eigrp 10

network 10.0.1.0 0.0.0.255

!

ip route 1.1.1.0 255.255.255.0 3.3.3.1

ip route 2.2.2.0 255.255.255.0 4.4.4.1


You'll want to make substitutions as follows:


***** - Your tunnel keys


Loopback0 - LAN Interface for each router


10.0.0.0 - LAN Subnet for Router1

10.0.1.0 - LAN Subnet for Router2


1.1.1.0 - WAN Subnet for Router1 FastEthernet0/0

1.1.1.1 - Next-hop Router for Router1 FastEthernet0/0

1.1.1.2 - Interface of Router1 FastEthernet0/0


1.1.1.0 - WAN Subnet for Router1 FastEthernet0/1

1.1.1.1 - Next-hop Router for Router1 FastEthernet0/1

1.1.1.2 - Interface of Router1 FastEthernet0/1


3.3.3.0 - WAN Subnet for Router2 FastEthernet0/0

3.3.3.1 - Next-hop Router for Router2 FastEthernet0/0

3.3.3.2 - Interface of Router2 FastEthernet0/0


4.4.4.0 - WAN Subnet for Router2 FastEthernet0/1

4.4.4.1 - Next-hop Router for Router2 FastEthernet0/1

4.4.4.2 - Interface of Router2 FastEthernet0/1


You'll also want to adjust subnet masks and routing wildcards appropriately for your actual subnet masks.


This will create two VPN tunnels, each using a separate Internet connection on the FastEthernet ports. The EIGRP routing protocol will balance between them, using a single tunnel only when one should fail.


You can track which are up by monitoring the tunnel interface status.


Actions

This Discussion