01-02-2004 10:09 AM - edited 03-09-2019 06:01 AM
We are currently running an IPSec/GRE based VPN network setup in a hub-and-spoke model, The hub site has redundancy via multiple T1 circuits and BGP routing. We would now like to also make the spoke sites redundant using low-cost broadband links. I am not sure on how to do this when using GRE tunnels. Since my spoke sites would be using to different public IPs I would somehow need to configure the tunnels at my spoke sites with two different source IPs and the tunnels at the hub site with two different destinations IPs. Is this possible? Will I have to create two tunnel interfaces?
Thanks,
Diego
01-02-2004 11:27 AM
Diego,
If I understand this correctly you want to have two links on spoke router connected to 2 links on hub router work with gre/ipsec.
The way I know we can do this is using loopback address for IPSEC .
I am giving you an example of this
R1|S0/0-------T1-------------S0/0 |R2
|S0/1-------T1-------------S0/1 |
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 5000
crypto isakmp key intersite1 address 10.36.141.129
crypto isakmp keepalive 10 3
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac comp-lzs
!
crypto map GRE-Tunnel local-address Loopback0
crypto map GRE-Tunnel 10 ipsec-isakmp
set peer 10.36.141.129
set transform-set strong
match address 101
interface Loopback0
description IPSEC loopback
ip address 10.36.141.1 255.255.255.255
no ip proxy-arp
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.252
no ip proxy-arp
no ip mroute-cache
tunnel source Loopback0
tunnel destination 10.36.141.129
interface Serial0/0
ip address 192.168.251.1 255.255.255.252
no ip proxy-arp
ip load-sharing per-packet
service-module t1 clock source internal
no cdp enable
crypto map GRE-Tunnel
crypto ipsec df-bit clear
interface Serial0/1
ip address 192.168.251.5 255.255.255.252
no ip proxy-arp
ip load-sharing per-packet
service-module t1 clock source internal
no cdp enable
crypto map GRE-Tunnel
crypto ipsec df-bit clear
!
access-list 101 permit gre host 10.36.141.1 host 10.36.141.129
ip route 10.36.141.129 255.255.255.255 192.168.251.2
ip route 10.36.141.129 255.255.255.255 192.168.251.6
I used tunnel source as loopback and tunnel destination as loopback on remote site.
I have eigrp to take care of other routing, except for above two static routes for getting to loopback over two seperate links. Config at other end is similar to this one.
This config also loadbalances across two links if you like to use per-packet loadbalancing.
Hope this will give you clues to solve your problem.
Thanks
Deepak
01-04-2004 08:05 AM
Does the hub site have more than one router for the multiple T1 links? Do the external routers terminating the circuits also terminate the GRE tunnels?
Will the spoke sites have a router for each link? Do you wish to provide redundancy only or load-balancing as well?
Cisco provides elegant and simple methods to accomplish this depending on the answers to those questions. DMVPN works great if the routers at the hub site do not terminate the tunnel. The hub site doesn't need any info about remote site IP addresses (great for DHCP broadband) because the spokes initiate the tunnels to hub. Another benefit of DMVPN is that the spokes can send each other traffic directly without sending it to the hub, and no additional configuration is required.
IPSec can work in a redundant environment also by using standby addresses (via HSRP) as the source and RRI (reverse route injection) can take care of routing issues.
HSRP can play a role at the hub and spoke sites depending on the setup.
The config provided by the other poster is a start, but it would be difficult to use because of DHCP at the remote sites. Another issue is the per-packet load balancing. I recommend against this on the Interent because packets will arrive out of order and probably have a detrimental effect on throughput, especially in high packet loss environments like DSL/Cable.
For simplicity combined with ease at the spokes, I recommend that you use one link as the primary surfing link and the other as the primary tunnel link.
Another issue could be the temrinating device for the broadband connection. If you have one of the low-end routers (speedstream, linksys, etc)terminating the connections, a fully dynamic configuration may not be possible.
01-04-2004 07:45 PM
My main concern is link failure. I am not too worried about the hub site because I am using two (2) T1 circuits and BGP. Therefore the tunnel endpoint IP at the hub will always be consistent.
My big problem seems to be at the spoke sites. At the spokes I use a 1710 router with the e0 interface using a static public IP and the fa0 interface uses a private IP. I have a broadband router on the private LAN that can NAT the private IP of fa0 but that IP is dynamic. I am now using pure IPSec tunnels that terminate on a PIX at the hub. Since the PIX accepts dynamic IPsec peers I am good for the moment whether the spoke comes into the hub using the static, public e0 IP or the dynamic, NATed IP from the broadband router. My main problem there is how to define a GRE tunnel that uses dynamic IPs. It seems like I can't.
I am starting to think that maybe I can use GRE and the static IP for my main link and use a dynamic IPSec tunnel via the broadband as a backup.
Diego
PS
What is DMVPN? I never heard of that?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: