Hello, i'm student from Greece and i have a graduation project to setup Backup VPN between two universities. Primary communication accomplished with Leased Lines. I have study a lot, but now that is the time for implementation i have some considerations:
- What hardware and Software IOS do i need ? cisco 1841 it's ok for A-D Routers?
- Use IPsec Tunnel mode or IPSec GRE transport mode ?
- What will be the failover mechanism switching the traffic from Leased Line to IP Backup VPN and oposite? One professor told me something about Interface Prioritys. I have read somewhere this is done with routing protocol such as EIGRP. who is right the professor or the book? :-D
- At one site they have Firewall and NAT, i need to do any actions for that?
The attach file contains the topology that I want to implement
Site 1 "my" spoke
Site 2 Central Site
E communicates with A but no traffic goes to A from E with normal circumstances. Subnet on E get Internet access through F and then D. VPN will setup over DSL but only traffic from specific E source will get through the Backdoor VPN ( i believe the solution to this is ACLs on router A). They have no routing protocol on "my" site A , only Directly connected routers and default routes.
how to imlement this?
I think that the first thing should i do is A to D connectivity
i' ll try to make this to packet tracer first, but how can ' i emulate the SP network?
I will need any help i can get !!
Yup, you have got both the points correctly.
For point 1, 254 is the metric of the route. We specify a higer metric here because if both the routes have the same metric then E will start load balancing between the two routes and we want E to use the default route to A only as a backup. So, we specify the metric so that the default route to A is used only when the main default route (default route to F) goes down.
I have attached a doc with the same example. I hope that helps.
In our scenario, since our primary connection is a direct leased line between E and F, so I am assuming that there is no other network between the two routers. In this case we wont have to configure SLA monitoring or any interface priority. We can just enter two default routes:
ip route 254
In this scenario, if the leased line interface goes down, the second default route kicks in and the traffic would be routed through router A.
SLA monitoring monitors connection (using ping tests) through one of the interfaces on the router and when we are not able to ping some server (specified in the SLA configuration) through the interface, then we change the default route to route the traffic through some another interface.
So, in your scenario, we can monitor the link between E and F, and when the link goes down we can change the default route to point to A.
This is useful in the scenario when we have another ISP connection as our primary connection.
Here is a link on how to configure SLA monitoring on the router:
After configuring SLA monitoring using the above link you can link it to the default route using the following route command:
ip route track // main default route
ip route 255 // default route with a higer metric which kicks in when the main default route goes down
Also, the configuration example which you have give in the doc is almost correct, just that the transform set is missing a hash algorithm. Here is a link with an example for a lan-to-lan tunnel between two routers: