Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Backup for an IPSec tunnel over the Internet


i've lan-to-lan ipsec tunnel over internet between two ios routers. I'm trying to configure isdn backup for the ipsec tunnel between the same routers. My problem is for any router to make routing decisions it has to know that the remote internet connection is down since this is no point-to-point connection.



Re: Backup for an IPSec tunnel over the Internet

This is a frequently asked question on this forum. A quick search through some of the earlier postings (or use google to search the Usenet archive) would unearth a range of solutions and challenges. I have documented my two favorite approaches in a white paper on my web site, and will only highlight here what is stated much more clearly and in greater detail there.

The bottom line is that you are absolutely correct in your thinking so far. The first challenge is to detect that the link has failed. This can be done with either a GRE tunnel or with a routing protocol which does not require routers to be adjacent, such as BGP. The next step is to have an alternate path that can be used if the primary is detected to have failed. This can be another VPN (using an alternate service provider) or dial backup. The final, and oft neglected step, is consistent, routine monitoring and testing of the backup link to ensure that it gets fixed when it fails so that you have a reasonable change that it will still be working by the time you need it.

Good luck and have fun!

Vincent C Jones

New Member

Re: Backup for an IPSec tunnel over the Internet

Thanks Vincent,

before i put the question on this forum, i saw your white papers. The solution is working with GRE over IPSec and EIGRP. The dialer watch is for the backup. Thanks anyway. The white papers are great!




Re: Backup for an IPSec tunnel over the Internet

I guess I don't understand your question then...If the solution is working, than what is not working?

Vincent C Jones

New Member

Re: Backup for an IPSec tunnel over the Internet

Hi Vincent,

what i ment to say was, the solution it started to work after i red your white papers, made eigrp configuration (i choose EIGRP), eliminating static routing and finally, getting the ISDN backup working, only when the tunnel(or when a physical problem to an ISP occur) between two sites goes down, permitting the remote sites (connected via Internet to both principle sites) to continue receiving eigrp updates via isdn.

Thanks anyway.


CreatePlease login to create content