VPN on 1841 with dual internet connections

Jeff Bull · ‎03-12-2012

I have an Cisco 1841 at one of our remote sites, that has a dual-homed internet connection. Planning on using PBR & IP SLA to use the internet connections in an Active/Standby pair, but also need to setup a VPN tunnel (actually a couple of tunnels) over the Active internet connection. Is this possible on the 1841's & 2811's, and if so, how would I go about setting it up?

Jeff

Jeff Bull · ‎03-14-2012

So i'm finding information on Cisco's VTI, just not sure if it is available on the 2800 & 1800 ISR's (running advsecurity). Does anyone know?

rizwanr74 · ‎03-14-2012

Hi there,

I have attached for you, Cisco documenation under the heading "Static Virtual Tunnel Interface with IPsec: Example"

Basically GRE over IPsec config example.

Jeff Bull · ‎03-14-2012

That looks good for the VTI configuration. Will this work in conjunction with PBR & IP SLA in a dual-ISP scenario? Trying to setup a primary and secondary ISP connection, that can fail over automatically, yet still allow a VPN tunnel to function regardless of which ISP connection is the active one.

rizwanr74 · ‎03-14-2012

One method.

Using IP-SLA you are trying to achieve is basically entail a default route-failover when primary ISP circuits fails to standby one. So please read the below thread, shows how setup a default route-failover from one physical interface to another.

https://supportforums.cisco.com/thread/2034251

Second method is:

You introduce a dynamic routing protocol (such as EIGRP) from both ends (sites) and your router peer from both circuits to remote router.

When one circuits fails and dynamic routing protocol will start using to second circuit.

Hope that helps.

thanks

Jeff Bull · ‎03-16-2012

At the moment, I have an active GRE tunnel from one site to the data center. If I use either the IP-SLA or dynamic routing, will I still be able to have the tunnel functioning? Given that the Tunnel interface has to have a source command set on it, wasn't sure if there would still be some manual intervention necessary to fail over connectivity.

rizwanr74 · ‎03-16-2012

"If I use either the IP-SLA or dynamic routing, will I still be able to have the tunnel functioning?"

Yes, in the either case you can incorporate your existing tunnel as well.

In the existing GRE you use static route to push traffic from both end of tunnels and so, as far as IP-SLA is concern you use GRE interfaces as primary and backup with manupulating higher cost in the static-route as shown in the above thread.

Now, GRE tunnels when introducing dynamic routing protoco into equvation. In this senario your routing protocol will peer over GRE tunnel's interface IP addresses which are going over two separate circuits and you increase the delay on the one tunnel interface so that other circuit will be prefered over due to lower delay. When that circuit (i.e. lower delayed circute) goes down, EIGRP will start will using the backup circuit GRE tunnel.

I hope that helps.

thanks

Rizwan Rafeek.

rizwanr74 · ‎03-18-2012

Please rate helpful post.

thanks

Jeff Bull · ‎03-19-2012

I believe that will work. Need to read through everything you've posted, and write the configurations up for our environment. Hopefully will have an opportunity test it out this week.

Thanks again for the help!