I have an upcomming project that will need to have load-balancing and failover for IPSEC the sites are in Indaina and NJ. In NJ there will be 1 router that will support Indiana. In Indiana there are 2 1700 routers that have different ISP connections. If I setup HSRP between them I can have 1 GRE tunnel for the 192.168.x.x network on one 1700 and 1 GRE tunnel to the other 1700 router for the 10.10.x.x network. Is there a way to have session load balancing between them so both routers can equally balance the traffic?
If you want to load balance the traffic on the isp side, you need to get with your providers on how to best achieve that. The issues there involve whether your org. owns a IANA assigned ip address space and maybe a BGP autonomous system id.
With the IPSec connections, you can tie hspr groups with ipsec crypto maps in ios 12.2t, and 12.3 code, but usually that is a failover, not a load balance mechanism. The idea of having one gre tunnel to one net on one router, and the other net on the other router will give you load-balancing, but not failover. Instead I would add ospf to the config and advertise the same nets to both routers, using different metrics. That will achive both your load balancing and failover goals. I would remove HSRP because all traffic will be directed to the active router; ospf and gre by themselves will accomplish your goals. HSRP can defeat them and it adds complexity to the mix.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...