VPN-tunnel redundancy

olegm · ‎10-26-2009

There is two site with 2801/CallManager Express routers. I need to have LAN-2-LAN connection over Eth WAN interfaces.

It is possible to configure two VPN tunnel with redundancy? How to monitor VPN-tunnel state and switch to second tunnel?

ghostinthenet · ‎10-29-2009

There are a number of ways to go about it, but I would run with two encrypted tunnels and a routing protocol such as EIGRP to balance or provide failover. Something like this would do the trick.

! Router 1

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp key ***** address 3.3.3.2 no-xauth

crypto isakmp key ***** address 4.4.4.2 no-xauth

!

crypto ipsec transform-set TS-AES256SHA1ESP esp-aes 256 esp-sha-hmac

!

crypto ipsec profile VPN

set transform-set TS-AES256SHA1ESP

!

interface FastEthernet0/0

ip address 1.1.1.2 255.255.255.0

!

interface FastEthernet0/1

ip address 2.2.2.2 255.255.255.0

!

interface Loopback0

ip address 10.0.0.1 255.255.255.0

!

interface Tunnel0

ip unnumbered Loopback0

tunnel source FastEthernet0/0

tunnel destination 3.3.3.2

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN

!

interface Tunnel1

ip unnumbered Loopback0

tunnel source FastEthernet0/1

tunnel destination 4.4.4.2

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN

!

router eigrp 10

network 10.0.1.0 0.0.0.255

!

ip route 1.1.1.0 255.255.255.0 3.3.3.1

ip route 2.2.2.0 255.255.255.0 4.4.4.1

! Router 2

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp key ***** address 1.1.1.2 no-xauth

crypto isakmp key ***** address 2.2.2.2 no-xauth

!

crypto ipsec transform-set TS-AES256SHA1ESP esp-aes 256 esp-sha-hmac

!

crypto ipsec profile VPN

set transform-set TS-AES256SHA1ESP

!

interface FastEthernet0/0

ip address 3.3.3.2 255.255.255.0

!

interface FastEthernet0/1

ip address 4.4.4.2 255.255.255.0

!

interface Loopback0

ip address 10.0.1.1 255.255.255.0

!

interface Tunnel0

ip unnumbered Loopback0

tunnel source FastEthernet0/0

tunnel destination 1.1.1.2

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN

!

interface Tunnel1

ip unnumbered Loopback0

tunnel source FastEthernet0/1

tunnel destination 2.2.2.2

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN

!

router eigrp 10

network 10.0.1.0 0.0.0.255

!

ip route 1.1.1.0 255.255.255.0 3.3.3.1

ip route 2.2.2.0 255.255.255.0 4.4.4.1

You'll want to make substitutions as follows:

***** - Your tunnel keys

Loopback0 - LAN Interface for each router

10.0.0.0 - LAN Subnet for Router1

10.0.1.0 - LAN Subnet for Router2

1.1.1.0 - WAN Subnet for Router1 FastEthernet0/0

1.1.1.1 - Next-hop Router for Router1 FastEthernet0/0

1.1.1.2 - Interface of Router1 FastEthernet0/0

1.1.1.0 - WAN Subnet for Router1 FastEthernet0/1

1.1.1.1 - Next-hop Router for Router1 FastEthernet0/1

1.1.1.2 - Interface of Router1 FastEthernet0/1

3.3.3.0 - WAN Subnet for Router2 FastEthernet0/0

3.3.3.1 - Next-hop Router for Router2 FastEthernet0/0

3.3.3.2 - Interface of Router2 FastEthernet0/0

4.4.4.0 - WAN Subnet for Router2 FastEthernet0/1

4.4.4.1 - Next-hop Router for Router2 FastEthernet0/1

4.4.4.2 - Interface of Router2 FastEthernet0/1

You'll also want to adjust subnet masks and routing wildcards appropriately for your actual subnet masks.

This will create two VPN tunnels, each using a separate Internet connection on the FastEthernet ports. The EIGRP routing protocol will balance between them, using a single tunnel only when one should fail.

You can track which are up by monitoring the tunnel interface status.