Site-to-Site VPN Mesh

Unanswered Question
Sep 27th, 2010

I have 3 Sites (could be more), which i want to build a fully "Meshed" vpn topology. This is for testing purposes only.

I have 2 different internet providers for each site. I want to build a VPN site-to-site topology that is in essence a mesh, so that if one ISP goes down for a site, the other one will continue to work and maintain connectivity to the other sites. See attached image and imagine the center router as a cloud. I'll keep adding detail to this diagram and update as i get a clearer idea of how this should be set up the most efficient way!

If Routers are named R1, R2, and HQ show my crypto maps look like this

crypto map R1R2 1 ipsec-isakmp

description R1 to R2 tunnel

set peer <R2 ISP 1 IP>

set peer <R2 ISP 2 IP>

set transform-set proposal1

set pfs group1

match address 111

!

crypto map R2HQ 1 ipsec-isakmp

description R2 to HQ

set peer <HQ ISP 1 IP>

set peer <HQ ISP 2 IP>

set transform-set proposal1

set pfs group1

match address 112

!

or do something like this

crypto map R1R2 1 ipsec-isakmp

description R1 to R2 tunnel 1

set peer <R2 ISP 1 IP>

set transform-set proposal1

set pfs group1

match address 111

crypto map R1R2 2 ipsec-isakmp

description R1 to R2 tunnel 1

set peer <R2 ISP 2 IP>

set transform-set proposal1

set pfs group1

match address 112

Or something completely different. I would intend on using Tunnel Interfaces for each site-to-site vpn.

Cheers for the help!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
aheckman Mon, 09/27/2010 - 09:48

That looks like a great option, was not aware of this feature. How would you suggest make use of both ISP links... in the example there of course they are using just one ISP link so they have a gateway of last resort set....

I'm thinking maybe do a ip sla monitor to check if one tunnel is up and then have it put in a second gate way of last resort with a higher metric...

Then i assume i can just put 2 different "tunnel source " commands under the Tunnel interface and it will roll between them automagically?

This seems a heck of a lot easier to setup!

Cheers!

Diego Armando C... Mon, 09/27/2010 - 10:25

I think you could use this guide

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a008018983e.shtml#dualhubdual

You would be using 2 DMVPNs

Thanks to the routing protocolo you will be running you can sen the traffic to only 1 hub if it fails that use the another hub.  You will have to configure 2 tunnels per Spoke.

The scenario is a little bit more complicated but so much better that using site to sita VPN. Plus the routing will be in change of the redundancy.

aheckman Mon, 09/27/2010 - 13:30

The main difference between "Dual Hub - Dual DMVPN Layout" and mine is that i only have 1 router at each site, and they have the site with 2 routers being their "Hub". For mee do you think that i could just make a standard DMVPN and use my HQ as the Hub. And then do a second DMVPN and use one of the sites as the HUB, thereby achieveing a kinda a mesh topology taking advantage of my dual ISP connections! I'm currently working on getting the first DMVPN set up with the HQ as the "hub" and having a bit of trouble with the VPN Tunnel flapping up and down. When i have a chance I'll update my Visio and then post some configs and maybe someone will have an idea as to why it is flapping...

Diego Armando C... Mon, 09/27/2010 - 13:48

are you using a routeing protocol?

If eigrp remember to put the no ip split-horizon eigrp X and the no ip next-hop-self eigrp X

I am not sure but I think you sould be able create the dual layout. you have a different interface with a different IP. Just configure the hub with 2 tunnels with different IP addressing of course. this redundancy is only effective if the ISP fails of course, because if for any reason the HUB router hardaware fails nothing is going to work.

Enrique Romero ... Mon, 09/27/2010 - 15:59

Hi you can try a hub and spoke configuration, i think this is what you are lokking for, i tried 2 week ago and it work great. If you need help to configure it let me know.

Good Luck

Actions

This Discussion