Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

VPN on 1841 with dual internet connections

I have an Cisco 1841 at one of our remote sites, that has a dual-homed internet connection. Planning on using PBR & IP SLA to use the internet connections in an Active/Standby pair, but also need to setup a VPN tunnel (actually a couple of tunnels) over the Active internet connection. Is this possible on the 1841's & 2811's, and if so, how would I go about setting it up?

Jeff

Everyone's tags (6)
8 REPLIES
New Member

VPN on 1841 with dual internet connections

So i'm finding information on Cisco's VTI, just not sure if it is available on the 2800 & 1800 ISR's (running advsecurity). Does anyone know?

Re: VPN on 1841 with dual internet connections

Hi there,

I have attached for you, Cisco documenation under the heading "Static Virtual Tunnel Interface with IPsec: Example"

Basically GRE over IPsec config example.

New Member

VPN on 1841 with dual internet connections

That looks good for the VTI configuration. Will this work in conjunction with PBR & IP SLA in a dual-ISP scenario? Trying to setup a primary and secondary ISP connection, that can fail over automatically, yet still allow a VPN tunnel to function regardless of which ISP connection is the active one.

VPN on 1841 with dual internet connections

One method.

Using IP-SLA you are trying to achieve is basically entail a default route-failover when primary ISP circuits fails to standby one. So please read the below thread, shows how setup a default route-failover from one physical interface to another.

https://supportforums.cisco.com/thread/2034251

Second method is:

You introduce a dynamic routing protocol (such as EIGRP) from both ends (sites) and your router peer from both circuits to remote router.

When one circuits fails and dynamic routing protocol will start using to second circuit.

Hope that helps.

thanks

New Member

VPN on 1841 with dual internet connections

At the moment, I have an active GRE tunnel from one site to the data center. If I use either the IP-SLA or dynamic routing, will I still be able to have the tunnel functioning? Given that the Tunnel interface has to have a source command set on it, wasn't sure if there would still be some manual intervention necessary to fail over connectivity.

VPN on 1841 with dual internet connections

"If I use either the IP-SLA or dynamic routing, will I still be able to have the tunnel functioning?"

Yes, in the either case you can incorporate your existing tunnel as well.

In the existing GRE you use static route to push traffic from both end of tunnels and so, as far as IP-SLA is concern you use GRE interfaces as primary and backup with manupulating higher cost in the static-route as shown in the above thread.

Now, GRE tunnels when introducing dynamic routing protoco into equvation.  In this senario your routing protocol will peer over GRE tunnel's interface IP addresses which are going over two separate circuits and you increase the delay on the one tunnel interface so that other circuit will be prefered over due to lower delay.  When that circuit (i.e. lower delayed circute) goes down, EIGRP will start will using the backup circuit GRE tunnel.

I hope that helps.

thanks

Rizwan Rafeek.

VPN on 1841 with dual internet connections

Please rate helpful post.

thanks

New Member

VPN on 1841 with dual internet connections

I believe that will work. Need to read through everything you've posted, and write the configurations up for our environment. Hopefully will have an opportunity test it out this week.

Thanks again for the help!

1182
Views
0
Helpful
8
Replies
CreatePlease to create content