VPN Concentrator vs Router for Site-to-Site VPN with failover
In creating a Partner / Site-to-Site VPN infrastructure with the ability to failover to another technology (i.e. ISDN, wireless, etc.) what is a good design for the head end device, Cisco VPN concentrator or Cisco router?
Keep in mind that partner / site-to-site locations may not use Cisco equipment.
Also note that although the Internet connectivity from the remote site may still be up, the VPN may be down (this is not acceptable as the remote site addresses are RFC1918).
Re: VPN Concentrator vs Router for Site-to-Site VPN with failove
The simplest solution is a VPN concentrator (or firewall) to terminate the VPNs and a router behind the concentrator to detect VPN failure and select an alternate path. Running both routing and IPSec on the router is possible, but makes the solution more complex and less manageable. The VPN concentrator probably does not have the routing smarts to choose an alternate route (unless also a VPN), and typically lacks the hardware to support alternate paths (such as ISDN dial around). Also keep in mind any security needs to control unauthorized traffic.
Good luck and have fun. You may find the Redundant IPsec whitepaper on my website of interest, compare the example configuration using a router for everything to the example configuration using a router and an external IPsec box.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :