I have been asked by my boss to think about a backup solution that could take over in case the main telco line to our central office goes down.
Ideally what I wanted to do is to suscribe for a 10 mbits or 100 mbits internet circuit and build an IPsec tunnel back to the main site, problem is there is not enough budget for this 10 or 100 mbits internet leased line.
One other option I can see is to suscribe for 4 ADSL internet lines, each of these DSL line will land on one WIC-1-ADSL on a Cisco 2821.
Branch office :
- Cisco 2821 + 4 WIC-1-ADSL ------> 4 DSL lines going to same provider
Main site :
- Checkpoint NG firewall (for building IPSEC tunnel).
if required we can install a Cisco router on the main site to make thing easy or "doable".
as I have 4 DSL lines, I will have to build 4 IPSEC tunnels between the branch office and the main site. to load share between the four ipsec tunnels, I wanted to define 4 access-list which would divide the LAN branch office in four parts, so traffic come in from the LAN branch office would match only one access-list and would use the relevant IPsec tunnel.
Not too sure how the cisco router will handle this with 4 tunnels pointing to the same checkpoint VPN gateway.
if you have ever setup something similar with DSL interface or ethernet, I would appreciate your thought so I know whether I can go ahead with this design, I read about DMVPN but not sure whether this would help me here.
thanks a lot in advance.
I would suggest you to deploy 4 point-to-point GRE tunnels each of them encapsulated in a different IPSec crypto map.
This would allow you to deploy a routing protocol over the tunnels and to have per flow load balancing over the 4 tunnels so that you achieve a better load balancing.
the GRE tunnel becomes the traffic interesting to be encrypted for each IPSec crypto map.
the IPSec crypto map is applied to the DSL interface or subinterface (ATM point-to-point subinterface is recommended)
This would require another Cisco router on the HQ to be able to terminate the GRE tunnels inside IPSec.
For simplicity try to get DSL lines with a fixed public IP address so that you can configure predefined isakmp peers otherwise you need dynamic crypto maps.
Hope to help