Two IPSEC VPN Tunnels with failover to same site

Unanswered Question
Jul 20th, 2010

I am not quite sure how to approach a solution, I have two sites each with a SDSL and ADSL circuit, I want to use a Cisco 1841 with Advanced Security IOS to create a VPN Tunnel between the sites and then have the option to failover if one of the WAN circuits fails.

The solution would allow certain traffic to be sent via one tunnel, such as HTTP and HTTPS and then RDP and ICA traffic across the other tunnel, but if one WAN circuit should fail all traffic will failover to the other tunnel.

I have implemented failover NAT overload using the track command and an icmp echo and route maps and this works well but the multiple VPN tunnels is something I havent approached yet, I have setup multiple IPSEC site to site tunnels but I have used two Cisco 877 routers as the workaround and had the routing done before the routers.

I am just looking for some pointers to where I should be looking, is this Policy Based Routing I need and should I look at GRE over IPSEC rather than just IPSEC?

Cheers

Kyle

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 07/20/2010 - 16:12

Kyle

If you want to send some traffic down one tunnel and other traffic down the other but use each tunnel as a backup for the other one then yes PBR is what you want to be looking at. Personally for just 2 tunnels i would use normal IPSEC with PBR. If you simply wanted to switch all traffic from one to the other then using GRE and running a routing protocol could be a good solution but there is little point if you are going to ignore the routing anyway by using PBR.

Are you familiar with PBR or do you need some help ?

Jon

kyle.heath Tue, 07/20/2010 - 23:29

Thanks Jon, I dont have experience of PBR so help on this would be much appreciated.  My goal is to be able to have the two VPN tunnels between the sites and pass the Terminal Server users via one tunnel and the Outlook Anywhere traffic over the other tunnel.  If one WAN circuit should drop then I would want the other tunnel to failover all traffic until the other WAN circuit came back up.

As I mentioned I have worked out how to failover dynamic NAT using Route Maps but this is the first time I have attempted this level of complexity with VPN tunnels.

Actions

This Discussion

Related Content