We are currently running an IPSec/GRE based VPN network setup in a hub-and-spoke model, The hub site has redundancy via multiple T1 circuits and BGP routing. We would now like to also make the spoke sites redundant using low-cost broadband links. I am not sure on how to do this when using GRE tunnels. Since my spoke sites would be using to different public IPs I would somehow need to configure the tunnels at my spoke sites with two different source IPs and the tunnels at the hub site with two different destinations IPs. Is this possible? Will I have to create two tunnel interfaces?
Does the hub site have more than one router for the multiple T1 links? Do the external routers terminating the circuits also terminate the GRE tunnels?
Will the spoke sites have a router for each link? Do you wish to provide redundancy only or load-balancing as well?
Cisco provides elegant and simple methods to accomplish this depending on the answers to those questions. DMVPN works great if the routers at the hub site do not terminate the tunnel. The hub site doesn't need any info about remote site IP addresses (great for DHCP broadband) because the spokes initiate the tunnels to hub. Another benefit of DMVPN is that the spokes can send each other traffic directly without sending it to the hub, and no additional configuration is required.
IPSec can work in a redundant environment also by using standby addresses (via HSRP) as the source and RRI (reverse route injection) can take care of routing issues.
HSRP can play a role at the hub and spoke sites depending on the setup.
The config provided by the other poster is a start, but it would be difficult to use because of DHCP at the remote sites. Another issue is the per-packet load balancing. I recommend against this on the Interent because packets will arrive out of order and probably have a detrimental effect on throughput, especially in high packet loss environments like DSL/Cable.
For simplicity combined with ease at the spokes, I recommend that you use one link as the primary surfing link and the other as the primary tunnel link.
Another issue could be the temrinating device for the broadband connection. If you have one of the low-end routers (speedstream, linksys, etc)terminating the connections, a fully dynamic configuration may not be possible.
My main concern is link failure. I am not too worried about the hub site because I am using two (2) T1 circuits and BGP. Therefore the tunnel endpoint IP at the hub will always be consistent.
My big problem seems to be at the spoke sites. At the spokes I use a 1710 router with the e0 interface using a static public IP and the fa0 interface uses a private IP. I have a broadband router on the private LAN that can NAT the private IP of fa0 but that IP is dynamic. I am now using pure IPSec tunnels that terminate on a PIX at the hub. Since the PIX accepts dynamic IPsec peers I am good for the moment whether the spoke comes into the hub using the static, public e0 IP or the dynamic, NATed IP from the broadband router. My main problem there is how to define a GRE tunnel that uses dynamic IPs. It seems like I can't.
I am starting to think that maybe I can use GRE and the static IP for my main link and use a dynamic IPSec tunnel via the broadband as a backup.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :