I have the customer with the following requirements: Central site and 10 remote sites. He wants to do IPSec VPN from remote sites to the central site over the Internet. That's fine. Should Internet connection become unavailable, customer wants VPN devices to switch to ISDN dial from remotes to central site without user intervention. What I have in mind is IKE-Keepalive and Dead Peer Detection, and possibly GRE. The issue is that VPN device needs to recognize dead IPSec tunnel and signal to another device to do ISDN dial (only reasonable solution would be to use IOS Routers in HSRP for that - one is VPN device another one ISDN router).
Try running EIGRP with authentication over the VPNs, and use floating static routes with an Admin distance higher than that of Internal EIGRP to bring up the ISDN. I recently had it running between 1720's and the ISDN came up within about 10 secs of the VPN interface going down.
I haven't actually used Dead Peers Detection so not sure on that score.
Can send the configs if you wish, for a base to start from?
I would go with the GRE tunnels (vs. IKE keepalive) and allow a routing protocol to determine the IPSEC tunnel is down and use DDR (if you can) to connect the ISDN. Then once the Internet connection becomes available, traffic should fail back over. You don't have that ability with IKE keepalives, and the path will stay on the IDSN line until a new SA is required or you do a manual failover. Using the GRE tunnels with a routing protocol should automate everything you are looking for. This assumes you are using something like a 2600 series router that has both WAN interfaces.
This can be achieved without GRE. If your both routers have serial and ISDN interface, then, should serial goes down, routing protocols keepalives (for examples OSPF) are triggering ISDN to dial. That kind of situation I already have with another customer, and it works perfectly.
What I need now is that serial interface (for VPN connection) is on one router, and ISDN interface is on another router...
How do you run a routing protocol across an IPSEC tunnel? IPSEC tunnels only forward unicast traffic. Therefore you need the GRE tunnels to run a routing protocol across an IPSEC tunnel. If you run a routing protocol between the VPN device and the ISDN device the metrics should take care of which link get used. Albeit, you may need to front-end this solution with another router, or like you said, run HSRP.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :