redundant GRE tunnels

tato386 · ‎01-02-2004

We are currently running an IPSec/GRE based VPN network setup in a hub-and-spoke model, The hub site has redundancy via multiple T1 circuits and BGP routing. We would now like to also make the spoke sites redundant using low-cost broadband links. I am not sure on how to do this when using GRE tunnels. Since my spoke sites would be using to different public IPs I would somehow need to configure the tunnels at my spoke sites with two different source IPs and the tunnels at the hub site with two different destinations IPs. Is this possible? Will I have to create two tunnel interfaces?

Thanks,

Diego

deepakrd · ‎01-02-2004

Diego,

If I understand this correctly you want to have two links on spoke router connected to 2 links on hub router work with gre/ipsec.

The way I know we can do this is using loopback address for IPSEC .

I am giving you an example of this

R1|S0/0-------T1-------------S0/0 |R2

|S0/1-------T1-------------S0/1 |

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

lifetime 5000

crypto isakmp key intersite1 address 10.36.141.129

crypto isakmp keepalive 10 3

!

crypto ipsec transform-set strong esp-3des esp-md5-hmac comp-lzs

!

crypto map GRE-Tunnel local-address Loopback0

crypto map GRE-Tunnel 10 ipsec-isakmp

set peer 10.36.141.129

set transform-set strong

match address 101

interface Loopback0

description IPSEC loopback

ip address 10.36.141.1 255.255.255.255

no ip proxy-arp

!

interface Tunnel0

ip address 172.16.1.1 255.255.255.252

no ip proxy-arp

no ip mroute-cache

tunnel source Loopback0

tunnel destination 10.36.141.129

interface Serial0/0

ip address 192.168.251.1 255.255.255.252

no ip proxy-arp

ip load-sharing per-packet

service-module t1 clock source internal

no cdp enable

crypto map GRE-Tunnel

crypto ipsec df-bit clear

interface Serial0/1

ip address 192.168.251.5 255.255.255.252

no ip proxy-arp

ip load-sharing per-packet

service-module t1 clock source internal

no cdp enable

crypto map GRE-Tunnel

crypto ipsec df-bit clear

!

access-list 101 permit gre host 10.36.141.1 host 10.36.141.129

ip route 10.36.141.129 255.255.255.255 192.168.251.2

ip route 10.36.141.129 255.255.255.255 192.168.251.6

I used tunnel source as loopback and tunnel destination as loopback on remote site.

I have eigrp to take care of other routing, except for above two static routes for getting to loopback over two seperate links. Config at other end is similar to this one.

This config also loadbalances across two links if you like to use per-packet loadbalancing.

Hope this will give you clues to solve your problem.

Thanks

Deepak

shannong · ‎01-04-2004

Does the hub site have more than one router for the multiple T1 links? Do the external routers terminating the circuits also terminate the GRE tunnels?

Will the spoke sites have a router for each link? Do you wish to provide redundancy only or load-balancing as well?

Cisco provides elegant and simple methods to accomplish this depending on the answers to those questions. DMVPN works great if the routers at the hub site do not terminate the tunnel. The hub site doesn't need any info about remote site IP addresses (great for DHCP broadband) because the spokes initiate the tunnels to hub. Another benefit of DMVPN is that the spokes can send each other traffic directly without sending it to the hub, and no additional configuration is required.

IPSec can work in a redundant environment also by using standby addresses (via HSRP) as the source and RRI (reverse route injection) can take care of routing issues.

HSRP can play a role at the hub and spoke sites depending on the setup.

The config provided by the other poster is a start, but it would be difficult to use because of DHCP at the remote sites. Another issue is the per-packet load balancing. I recommend against this on the Interent because packets will arrive out of order and probably have a detrimental effect on throughput, especially in high packet loss environments like DSL/Cable.

For simplicity combined with ease at the spokes, I recommend that you use one link as the primary surfing link and the other as the primary tunnel link.

Another issue could be the temrinating device for the broadband connection. If you have one of the low-end routers (speedstream, linksys, etc)terminating the connections, a fully dynamic configuration may not be possible.

tato386 · ‎01-04-2004

My main concern is link failure. I am not too worried about the hub site because I am using two (2) T1 circuits and BGP. Therefore the tunnel endpoint IP at the hub will always be consistent.

My big problem seems to be at the spoke sites. At the spokes I use a 1710 router with the e0 interface using a static public IP and the fa0 interface uses a private IP. I have a broadband router on the private LAN that can NAT the private IP of fa0 but that IP is dynamic. I am now using pure IPSec tunnels that terminate on a PIX at the hub. Since the PIX accepts dynamic IPsec peers I am good for the moment whether the spoke comes into the hub using the static, public e0 IP or the dynamic, NATed IP from the broadband router. My main problem there is how to define a GRE tunnel that uses dynamic IPs. It seems like I can't.

I am starting to think that maybe I can use GRE and the static IP for my main link and use a dynamic IPSec tunnel via the broadband as a backup.

Diego

PS

What is DMVPN? I never heard of that?