Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN session load-balancing

Hello all

I have an upcomming project that will need to have load-balancing and failover for IPSEC the sites are in Indaina and NJ. In NJ there will be 1 router that will support Indiana. In Indiana there are 2 1700 routers that have different ISP connections. If I setup HSRP between them I can have 1 GRE tunnel for the 192.168.x.x network on one 1700 and 1 GRE tunnel to the other 1700 router for the 10.10.x.x network. Is there a way to have session load balancing between them so both routers can equally balance the traffic?




Re: VPN session load-balancing

If you want to load balance the traffic on the isp side, you need to get with your providers on how to best achieve that. The issues there involve whether your org. owns a IANA assigned ip address space and maybe a BGP autonomous system id.

With the IPSec connections, you can tie hspr groups with ipsec crypto maps in ios 12.2t, and 12.3 code, but usually that is a failover, not a load balance mechanism. The idea of having one gre tunnel to one net on one router, and the other net on the other router will give you load-balancing, but not failover. Instead I would add ospf to the config and advertise the same nets to both routers, using different metrics. That will achive both your load balancing and failover goals. I would remove HSRP because all traffic will be directed to the active router; ospf and gre by themselves will accomplish your goals. HSRP can defeat them and it adds complexity to the mix.

I hope this helps.