Direct IPSEC VPN's w/multiple Hubs - Autoswitch back to primary hub

Unanswered Question

Hi,

We are implementing direct IPSEC spoke to hub sites with a primary and secondary peer. Other than doing GRE to provide OSPF to the remote sites is there anyway to failback to the primary hub site after the spoke site has already failed over to the secondary hub site?

Eg. Spoke site with one ISP connection out (internet) and one static default route.

Setup with two crypto peers, one default (Primary), and a backup (If the primary goes away)

Two Hubs sites running OSPF on the inside with reverse route injections and dynamic peers for the VPN's.

Remote site cannot see the primary hub, re-established tunnel to secondary due to crypto peer statement, secondary hub site answers, tunnel is established and RRI puts spoke site routes into OSPF. Primary hub site it visable again (from spoke) and we would like to remote site to fail back to the primary site automatically.

Is this possible (the fail-back part)?

If not it means going the GER/OSPF route at the spoke sites and using costs to control the fail-back.

Thanks in advance,

Bob

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jitendriya Athavale Fri, 07/30/2010 - 10:38

i think it might not work because since a tunnel is already established i think you will have to wait till the phase 1 lifetime expires

one way out i see is reduce the phase 1 lifetime by default it is 24 hrs around 86400 or something like that you can reduce it but just make sure that it is around 10 to 15 mins more than phase 2 lifetime, by default the phase 2 lifetime must be around 28800

so i think phase 1 lifetime to something like 5 to 6 hrs must be fine or reduce phase 2 timers too

Actions

This Discussion