Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN Concentrator vs Router for Site-to-Site VPN with failover

In creating a Partner / Site-to-Site VPN infrastructure with the ability to failover to another technology (i.e. ISDN, wireless, etc.) what is a good design for the head end device, Cisco VPN concentrator or Cisco router?

Keep in mind that partner / site-to-site locations may not use Cisco equipment.

Also note that although the Internet connectivity from the remote site may still be up, the VPN may be down (this is not acceptable as the remote site addresses are RFC1918).

Thank you in advance for your replies.



Re: VPN Concentrator vs Router for Site-to-Site VPN with failove

The simplest solution is a VPN concentrator (or firewall) to terminate the VPNs and a router behind the concentrator to detect VPN failure and select an alternate path. Running both routing and IPSec on the router is possible, but makes the solution more complex and less manageable. The VPN concentrator probably does not have the routing smarts to choose an alternate route (unless also a VPN), and typically lacks the hardware to support alternate paths (such as ISDN dial around). Also keep in mind any security needs to control unauthorized traffic.

Good luck and have fun. You may find the Redundant IPsec whitepaper on my website of interest, compare the example configuration using a router for everything to the example configuration using a router and an external IPsec box.

Vincent C Jones

CreatePlease to create content