I'm in this situation:
- A VPN 3000 at the core.
- Spokes are Cisco IPSEC Router on internet.
Some of these routers have two Internet Gateways provided by two different ISP.
The Second gateway is used as backup of the First internet Gateway.
When Spoke Router go to Internet throught the First gateway it has a public address IPADD_1 in the address space range provided by First ISP (using static NAT).
When Spoke Router go to Internet throught the Second gateway it has a public address IPADD_2 in the address space range provided by Second ISP (using static NAT).
I have configured VPN with two LAN-to-LAN connections using IPADD_1 and IPADD_2 as endpoints; but i have problems when set the same private network reachable by both IPSEC Tunnels.
Exactly, it happen the following:
when i use first ISP, all works fine beecause the first LAN-to-LAN connection is matched on VPN.
When the first ISP goes down, the spoke try to use the Second ISP. But VPN second LAN-to-LAN connection doesn't come up (unless i manually disable first LAN-to-LAN connection). I have tried NAT configuration of private networks to differetiate destination of LAN-to-LAN connections. But it works only for traffic from spoke to Core.
Somone have a suggestion ?
On the Hub location this should be the configuration
crypto map test 10 ipsec-isakmp
match address 100
set transform-set test
crypto isakmp keepalive 10
So if the first peer is not reachable, DPDs will help form with the 2nd peer. Ensure keepalives are present at both locations.
... the problem is etherogeneous type of devices.
VPN conentrators are not IOS router and Dead Peer Detection (i think) work only with a couple IPSEC IOS peers.
I'm agree ...
with VPN to VPN
with IOS to IOS
i'm able to manage backup peers (and paths).
but VPN to IOS ???
I've been trying to read up on vpn backup solutions and would like to figure out a way to learn routes through my vpn and then use that vpn to get to that network. Any sugestions?
Did you check ipsec Reverse route injection ? Or do you want to check the remote network's health ? Then probably you can do a VTI and advertise the remote LAN over the tunnel interface.
Let me know if iam off the mark.
I was thinking that was my answer but I haven't done any VTI ipsec tunnels yet and was going to spend some time this weekend working with that idea. Right now my client has a fairly large vpn network with a product line called Sonicwalls which have been great for them because of there centralized management. But there up time is terrible. I was trying to find out what the full capabilites of the ASA/pix 7.x software was capable of. I really would like to put those at the edge instead of a router connected to the internet with a firewall feature set.
Has anyone used the ASA/pix 7.0 in this manner are they capable of doing vpn's like the VTI links with the ability to run ospf over the VPN tunnels.
Appreciate any answers more questions to think about etc.
Something like this. Unicast OSPF over IPSec VPN tunnel ?
I am not very much aware of vpn concentrators but i think they do allow for dead peer detection. It will be well worth a try and i think it should work. Let me know how it goes.
On Spoke Router i configure:
crypto isakmp keepalive 10
On hub VPN 3000 on
"Configuration | User Management | Groups" menu
i select the groups related to LAN-to-LAN connections and check IKE Keepalives.
Unfortunataly doesn't work.
It works only if i manually Disable Primary LAN-to-LAN Connection on VPN 3000.