Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
285
Views
3
Helpful
1
Replies

2620 to 2620 VPN or Tunnel?

admin_2
Level 3
Level 3

‎02-11-2003 11:23 AM - edited ‎02-21-2020 12:20 PM

Hello,

I am attempting to determine if the following is possible and if it is, can anyone help me out?

I have two Cisco 2620 routers that are connected via a Frame Relay circuit. I route IP traffic through them as well as VoIP. On "Router1" I have a point-to-point connection to the Internet and on "Router2" I have an ADSL WIC connected to a ISP. What I'd like to do is use the Internet as a "failover" connection so that if my Frame Relay connection ever goes down, I can use the Internet as my "DBU", but instead this wouldn't dial up since it is ADSL and not ISDN or some other dial up scheme.

From all the docuementation I've read, I have come up to a dead end. I don't know if I need a PIX firewall or a VPN module in my routers or ? I don't have the funds to purchase much equipment, so I was hoping to do this with the routers I already have. I have found a Cisco document entitled "Cisco - Configuring IPSec with EIGRP and IPX Using GRE Tunneling" While this document comes close to what I'm trying to do it falls short.

Labels:
0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎02-11-2003 07:01 PM

Yep, this is possible. Best way to do it is to create a GRE/IPSec tunnel and run a routing protocl over it, make it whatever routing protocol you run on your current network. Increase the routing metric over this GRE interface so that the routers only find the routes over the tunnel in the event there's nothing better. Your IPSec tunnel will always be up in this situation, but will only ever be used if your better route (your Frame Relay link) goes down.

Conversely, you can create a GRE/IPSec tunnel, don't run a routing protocol over it (so it's not up all the time, saving you money if you pay for your ISP circuits by the data rate), and add a floating static route that has a higher metric than your FR routes. The gateway/next hop for the static route will be the IP address of the other end of the tunnel interface. Redistribute this static into your routing protocol and you're off and running. again, this floating static will only ever be put into the routing table when the better route (the FR link) is not there.

You shouldn't need a VPN module for this, assuming you're not sending too much data over the tunnel. You don't need a PIX either. All you need is a crypto image on the routers.

Customers Also Viewed These Support Documents