Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

two links to remote sites(one eigrp, one vpn)

i have an existing eigrp link to remote site, now i am setting up a vpn tunnel using the ASA to ASA. Site A allows full access for site B, Site B allows full access for site A. if my EIGRP link down, can it take the VPN link?

How do I start the VPN link?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: two links to remote sites(one eigrp, one vpn)

Paul

I am attaching a diagram for you please have a look . This is what i would have done . Dont Know if it reflects what your managment wants. Keep it simple not very complicated . If a site has multiple internet connection use one. First step get the network up and stable using one connection once all your sites are converted let it burn in for a few weeks before you make add dual vpn gre tunnels

I cant really tell what would be best in your case as i dont know the business your company is in or how things effect the users .All i can so is give a suggestion which you may need to alter to suite your requirements and objectives

Thanks

Nh

32 REPLIES
Bronze

Re: two links to remote sites(one eigrp, one vpn)

Hi,

Do you mean when the WAN links is down (EIGRP)?

Please describe your topology deeply.

Thanks

Abd Alqader

New Member

Re: two links to remote sites(one eigrp, one vpn)

Hi Adb,

we have 5 sites connected by E1 links running EIGRP. but each site has ASA to provide access to the internet. now that we want to use all the 5 ASAs to provide VPN site to site link as well, so that we have 2 links to each site, ie. ASA vpn link & E1 link. Is it feasible to setup something like that? what about load balancing?

Thanks,

Paul

Re: two links to remote sites(one eigrp, one vpn)

Hi ... You should be able to use failover by configuring the routers that are currently running EIGRP with static routes to the remote sites using higher administrative distance than the routes learned by EIGRP. These routes will be used only when the EIGRP route is not present due to link been down. This design is called a floating route.

Your statuc routes shoudl be pointing to your ASA's inide interface and the EIGRP routers should be used as the deafult gateway for the respectve sites.

I hope it helps .. please rate if it does !!!

New Member

Re: two links to remote sites(one eigrp, one vpn)

Hi fernando,

thanks much for your help.

the setup looks somewhat like:

site a = site b = site c = site d = site e =back to site a

= denotes 2 link

all sites are connected in a circle, which mean only when the two eigrp links failed then the vpn tunnels will kick in. is it possible to do load-balancing or route certain traffic through the vpn tunnels?

New Member

Re: two links to remote sites(one eigrp, one vpn)

Do you have routers behind the asa on all the sites .? if you do use GRE tunnels over IPSEC very easy to do .select one site as a hub site say for eq site A and connect all the vpn from diff sites to site A so for vpn site A will become like a hub site and terminate all the gre tunnels on a Router on site A behind the ASA . Now you can run any routing protocol over gre . Cisco has lots of doc for GRE over IPSEC

nh

Re: two links to remote sites(one eigrp, one vpn)

Hi Paul,

I found your scenario quite interesting hence I'm responding though bit late, however still I guess it shall be worth discussing with you.

I'm sure that you can easily achieve the same thing with the help of Peer-to-Peer IPSec in GRE Tunnels in a circle and then run Dynamic Routing to achieve loadbalancing / fault-tolerance.

Also, I would be looking forward for EIGRP as a Routing Protocol with a little tweaking in order to achieve the same,

I hope that this should be working without any ease.

Kindly rate if it helps.

Regards,

Wilson Samuel

New Member

Re: two links to remote sites(one eigrp, one vpn)

Hi Samuel,

Thanks for your response, any info for me will be useful because i am very new and have to do a lot of reading to get things done. It is great coz that's exactly what the management want, VPN in a circle together with EIGRP.

May I know what kind of tweaking is necessary on the EIGRP?

Thanks much & Best regards,

Paul

New Member

Re: two links to remote sites(one eigrp, one vpn)

New Member

Re: two links to remote sites(one eigrp, one vpn)

Hi Nitishh,

Thanks much for your help. All my routers are for internal LAN running EIGRP. only the ASA firewall has connection to the public internet.

Are you saying I can configure the router for site A to tunnel through the ASA firewall and link to all the other sites' routers?

I am very interested in that.

Thanks much,

New Member

Re: two links to remote sites(one eigrp, one vpn)

Paul

Hi! sorry was late in answering this was on vacation . Anyways what you need to do is GRE here is the document let me know if you this helped you

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml

you can create a mesh between sites if you implement GRE

thanks

Nitish

New Member

Re: two links to remote sites(one eigrp, one vpn)

Hi Nitishh,

You have been very helpful. so your recommendation is using GRE rather than using the ASA to do site to site vpn?

Kind regards,

paul

New Member

Re: two links to remote sites(one eigrp, one vpn)

Paul

Hi ! there are two parts to this solution . The first part is the Asa Tunnel . The second part is the Gre tunnel.

You will have to create a IPSEC (ASA) tunnel to the remote site .Once that is done you will create a Gre tunnel From the remote site to the hubsite. Gre allows you to run routing protocol inside them which can used for failover

R----ASA---INTERNET---ASA---Router

ASA to ASA great an IPSEC tunnel From the router to router create gre tunnel which will run over the Ipsec . When you are creating the ipsec let the GRE be defined as intresting traffic for ipsec.

thanks

nitish

New Member

Re: two links to remote sites(one eigrp, one vpn)

Hi Nitish,

This sound very interesting, I think i can get a buy in from the management, I will try this out.

Thanks much for your suggestion!

Best regards,

Paul

New Member

Re: two links to remote sites(one eigrp, one vpn)

not a problem paul hope it works for you meanwhile since you are looking at this also look for VTI (Virtual Interfaces ) this is a new concept cisco has intorduced which will replace Gre over ipsec from the firewalls to directley terminating the ipsec on a Router which is capable of doing ipsec . Thus eliminating the load on the FW and letting you do it in a more cleaner way. the gre will run on the same router all you will have to doa is allow ipsec to pass thru your FW to the router .

thanks

nitish

New Member

Re: two links to remote sites(one eigrp, one vpn)

Hi Nitishh and everyone,

I have done this setup according to your suggestion, I am not sure but i believe it is working for the first 2 sites. I have attached the visio 2003 file with configurations.

However, I am not very sure with the EIGRP portion, although i can see the gre tunnel(192.168.10.2) being registered with eigrp:

via 172.16.212.2 (1805056/28416), Serial0/2/0

via 192.168.10.2 (52802816/28416), Tunnel0

I just change the bandwidth of the tunnel to 64 with respect to the rest of the E1 line which is 1984 and the eigrp just learn and insert the tunnel0.

I can see this on the ASA:

local ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.8.0/255.255.255.0/0/0)

current_peer: 2.2.2.2

#pkts encaps: 3111968, #pkts encrypt: 4314218, #pkts digest: 4314218

#pkts decaps: 913757, #pkts decrypt: 913757, #pkts verify: 913757

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 3111968, #pkts comp failed: 0, #pkts decomp failed:

0

#send errors: 0, #recv errors: 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2

some questions:

1) how do i add specific route to point some device through the tunnel, i tried this ip route x.x.x.x...tunnel0 but it doesn't seems to work.

2) how do i know which traffic is going through the tunnel

3) how do i configure the eigrp to only choose this tunnel when all the routes has failed?

kind regards and thanks,

paul

Re: two links to remote sites(one eigrp, one vpn)

Hi Paul,

Good that you are able to communicate across the sites as of now.

However may I request you to paste the Sh ip route from any of the two rotuers in order to ascertain that things are indeed going as planned.

1) how do i add specific route to point some device through the tunnel, i tried this ip route x.x.x.x...tunnel0 but it doesn't seems to work.

I would like this to be taken care by the EIGRP i.e. in an event when the E-1 may go down, the EIGRP should route the traffic through this link

2) how do i know which traffic is going through the tunnel

Could be answered by looking at your Routing Table or by debug (former being better)

3) how do i configure the eigrp to only choose this tunnel when all the routes has failed?

Ideally nothing, as EIGRP's metrics would count on the bandwith and latency hence the preferred route always would be the E-1 and in case of E-1 failure it would route to the the tunner interface.

I really lookforward for the solution that you have got for it. IF you are still looking for a solution may I request you to paste the config from Router and ASA.

Looking forward from yourside,

Kind Regards,

Wilson SAmuel

New Member

Re: two links to remote sites(one eigrp, one vpn)

Hi wilson and everyone,

attached are the config files.

why do i see the FD is Inaccessible?

P 0.0.0.0/0, 0 successors, FD is Inaccessible

via 172.16.210.1 (3097600/2585600), Serial0/0/0

P 10.255.250.0/24, 0 successors, FD is Inaccessible

via 172.16.210.1 (3097600/2585600), Serial0/0/0

=============================================

Based on my eigrp, how do I improve on it? must I do anything?

Is it possible to have 2 internet links connected to the ASA, with 4 GRE tunnels tunnel across the 2 ASA internet links?

Thanks and Best regards,

Paul

New Member

Re: two links to remote sites(one eigrp, one vpn)

paul

good stuff .

question 1 -: you shoud be able to point some devices through the tunnel by using ip route command be sure if you are pointing a host to add 255.255.255.255 as the mask

question 2. check your routing table . lets say for eg i want to check for 172.16.170.0/24 network on KSO router . Then on KSO Router i will type the command : show ip route 172.16.170.0

this will give you an output as to which path the network is taking also look at the routing table you will know which path is prefered .

3rd question you dont need to configure eigrp to choose a tunnel when your primary route has failed because eigrp will learn routes from 2 places one E1 link and 2nd the internet link .

on KSO do a Show ip eigrp neig

u should see 2 neig one through the tunnel the other through e1 .

let me know if this helps

cheers

nh

New Member

Re: two links to remote sites(one eigrp, one vpn)

Hi everyone,

really thanks for the help. this morning i had my remote sites(configured with gre) E1 links all down, and the traffic actually takes the tunnel, everything is so transparent.

good and bad, the management is a bit excited, so they are asking for more:

1) we have 5 sites, now they are requesting to have each site with 4 gre tunnels to all sites.

2) on top of that, each site to have 2 internet links connected via the ASA. so that traffic can be load balance with the 2 internet links.

to be frank, i know nothing of that. Is it possible?

I will attach my configs for the current setup in my next mail.

Thanks much and regards,

paul

New Member

Re: two links to remote sites(one eigrp, one vpn)

Paul

Gr8 news . But before you continue please make sure when you add the new tunnel you are not creating a mesh and loops this will become very difficult to identify and solve later . Try to keep it simple best approch is to use Hub and Spoke topology . If a site has 2 internet connection try to use only one by putting static routes to the hub site on the FW . Let me know if you need anything else

NH

New Member

Re: two links to remote sites(one eigrp, one vpn)

Hi Nitish,

I hope I am getting you right:

1) using a central site to create hub and spoke to the other 4 sites for the GRE.

2) if each site has 2 internet connections, use only 1.

Is that your recommendation? Coz I need to come up with the new design.

Thanks and regards,

paul

Re: two links to remote sites(one eigrp, one vpn)

Hi Paul,

Yes thats what he means.

Infact we have a more than 20 sites connected with MPLS as main link and fallback is IPSec GRE Tunnels and I believe the best way to go ahead is with the Hub and Spoke way or else it will be too difficult for the expansion and to troubleshoot.

Kind Regards,

Wilson Samuel

New Member

Re: two links to remote sites(one eigrp, one vpn)

Paul

I am attaching a diagram for you please have a look . This is what i would have done . Dont Know if it reflects what your managment wants. Keep it simple not very complicated . If a site has multiple internet connection use one. First step get the network up and stable using one connection once all your sites are converted let it burn in for a few weeks before you make add dual vpn gre tunnels

I cant really tell what would be best in your case as i dont know the business your company is in or how things effect the users .All i can so is give a suggestion which you may need to alter to suite your requirements and objectives

Thanks

Nh

New Member

Re: two links to remote sites(one eigrp, one vpn)

Hi Nitish, Samuel,

Thanks much for your suggestions. I will put this to the management.

If I am using the hub and spoke, which mean the central site must have a bigger pipe? Can it be a single point of failure should the central site goes down? IF I am getting another router as a backup running "vrrp?" can this tunnel still work?

If the configuration is such that the tunnel is going around in a big circle connecting all the sites, Is that possible?

Sorry much for the questions, I hope you guys don't run out of patience with me.

Thanks much and Best regards,

paul

New Member

Re: two links to remote sites(one eigrp, one vpn)

paul

I need to understand what is your current topology . Pls attach an diagram so i can get an idea . I dont think you will have to worry about single pt of failure as this is supposed to be a backup connection to the existing connections you have . ur idea abt second router and vrrp (HSRP in cisco terms) is good for then you can have backup for eigrp (Gre)tunnels .

pls include diagram we can work on a stable design

thanks

nh

New Member

Re: two links to remote sites(one eigrp, one vpn)

Hi Nitish,

I will send you the diagram on monday as I am on training.

Thanks much and regards,

paul

New Member

Re: two links to remote sites(one eigrp, one vpn)

Hi Nitish,

Attached is the current wan diagram. Talking about the HSRP, my management is thinking of using the cisco switches to do the HSRP and to create the tunnel, is that feasible?

Thanks much for your help.

Kind regards,

paul

New Member

Re: two links to remote sites(one eigrp, one vpn)

paul

Thanks for the diagram more questions?

1. why are there so many redundunt link's are these only for redunduncy or does business require that these path exist there . For example KM3 has a E1 to Km1 and KJO.

to answer your question i will need to know what type of switch are you buying

thanks

nitish

New Member

Re: two links to remote sites(one eigrp, one vpn)

Hi nitish,

Those links are for redundancy, you have something on your mind? I am interested to know that.

For core switches, we use 4000 and 3000 series switches.

I have another question, right now I have a IPsec site to site link from KSO to KJO, I am making use of the 2 sites ASA public ip addresses, if I am going to configure the hub and spoke, must i create ipsec site to site tunnel for all the sites? I do not understand this portion.

Kind regards,

paul

452
Views
12
Helpful
32
Replies
CreatePlease login to create content