Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
517
Views
0
Helpful
2
Replies

Backup solution with 4 ADSL lines and IPSEC

Go to solution
kayih
Level 1
Level 1

‎12-13-2009 01:21 PM - edited ‎03-04-2019 06:57 AM

Hi all,

I have been asked by my boss to think about a backup solution that could take over in case the main telco line to our central office goes down.

Ideally what I wanted to do is to suscribe for a 10 mbits or 100 mbits internet circuit and build an IPsec tunnel back to the main site, problem is there is not enough budget for this 10 or 100 mbits internet leased line.

One other option I can see is to suscribe for 4 ADSL internet lines, each of these DSL line will land on one WIC-1-ADSL on a Cisco 2821.

Branch office :

- Cisco 2821 + 4 WIC-1-ADSL ------> 4 DSL lines going to same provider

Main site :

- Checkpoint NG firewall (for building IPSEC tunnel).

if required we can install a Cisco router on the main site to make thing easy or "doable".

as I have 4 DSL lines, I will have to build 4 IPSEC tunnels between the branch office and the main site. to load share between the four ipsec tunnels, I wanted to define 4 access-list which would divide the LAN branch office in four parts, so traffic come in from the LAN branch office would match only one access-list and would use the relevant IPsec tunnel.

Not too sure how the cisco router will handle this with 4 tunnels pointing to the same checkpoint VPN gateway.

if you have ever setup something similar with DSL interface or ethernet, I would appreciate your thought so I know whether I can go ahead with this design, I read about DMVPN but not sure whether this would help me here.

thanks a lot in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎12-14-2009 12:22 AM

Hello Kayih,

I would suggest you to deploy 4 point-to-point GRE tunnels each of them encapsulated in a different IPSec crypto map.

This would allow you to deploy a routing protocol over the tunnels and to have per flow load balancing over the 4 tunnels so that you achieve a better load balancing.

the GRE tunnel becomes the traffic interesting to be encrypted for each IPSec crypto map.

the IPSec crypto map is applied to the DSL interface or subinterface (ATM point-to-point subinterface is recommended)

This would require another Cisco router on the HQ to be able to terminate the GRE tunnels inside IPSec.

For simplicity try to get DSL lines with a fixed public IP address so that you can configure predefined isakmp peers otherwise you need dynamic crypto maps.

Hope to help

Giuseppe

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎12-14-2009 12:22 AM

Hello Kayih,

I would suggest you to deploy 4 point-to-point GRE tunnels each of them encapsulated in a different IPSec crypto map.

This would allow you to deploy a routing protocol over the tunnels and to have per flow load balancing over the 4 tunnels so that you achieve a better load balancing.

the GRE tunnel becomes the traffic interesting to be encrypted for each IPSec crypto map.

the IPSec crypto map is applied to the DSL interface or subinterface (ATM point-to-point subinterface is recommended)

This would require another Cisco router on the HQ to be able to terminate the GRE tunnels inside IPSec.

For simplicity try to get DSL lines with a fixed public IP address so that you can configure predefined isakmp peers otherwise you need dynamic crypto maps.

Hope to help

Giuseppe

0 Helpful

Go to solution
kayih
Level 1
Level 1
In response to Giuseppe Larosa

‎12-14-2009 05:15 AM

Giuseppe,

thanks a lot for this excellent input. I will have a look to GRE IPSEC

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card