We are using Cisco 831 routers at our remote locations to provide site to site VPN connectivity back to our data center (full tunnel). At our data center we have a pair of Cisco 2691 routers running in a High availability configuration using HSRP. All our remote locations terminate their VPN tunnel on the HSRP address of the 2691's in our data center. We are using static crypto maps on both the remote and data center routers. In addition, we are employing reverse route injection (RRI) to facilitate the dynamic route additions (which in turn get redistributed via OSPF to our enterprise core). This design has been implemented and is working as expected.
We are now interested in adding dial backup (via ISDN) functionality to this design. We are planning on using 17XX and 26XX routers at remote locations that require dial backup. Each location would have a ISDN circuit and our data center would have a 3640 with a PRI interface to terminate a PRI circuit. Basically in the event of primary (Ipsec VPN tunnel) link failure we want the remote router to dial around the Ipsec cloud and connect directly to the 3640 in our data center. Encryption over this link is NOT a requirement as this is basically a private network connection (ISDN)at that point.
In order to accomplish the DDR I would like to implement this as a typical DDR scenario where we run a routing protocol out to the remote (preferably OSPF) and use floating static routes to point to the BRI interface, at the remote, with a higher cost. I am fully aware that at this point I will need to run GRE over IPSEC in this scenario (due to the broadcast based OSPF, etc.). Once the primary link fails the default route (over the primary link) is withdrawn and the static takes precedence. This would be a typical of tradition WAN DDR design.
I have not implemented this design yet because Im not sure of a couple of things. Notably Im not sure if this is a good design or if it will actually work since I cant find any documentation that depicts running GRE/IPSEC and HSRP all at the same time. Can we run GRE and use HSRP as the tunnel endpoint. Does it make sense to even do this? I would like to NOT have to rearchitect my existing sites that are using Cisco 831s since I have no reason to run GRE out to these sites. I am concerned about the overhead (etc.) of GRE on these routers.I am also a bit concerned about using GRE in the first place. I have read several FAQs and articles that mention some issues with fragmentation (specifically the DF bit) and its potential impact on applications (Web browsing, etc.). Is there any valid cause for concern in using GRE from a compatability standpoint?
Any help, comments or direction would certainly be more than appreciated.
I have attempted to run both HSRP and GRE on the same router with miserable results. Unfortuantely the dynamics of my situation prevent me from doing this. I have an HSRP group defined on my external ethernet interface (fast0/1) and have a crypto map redundancy group defined on this interface. If you try to also associated this crypto map with the tunnel interface the IOS will not allow you to do so. Just more undocumented features I suppose.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...