router 2611 is connected to the internet by using ethernet port to ISP. And it is also configured to allow vpn connection with remote clients.
Client is now worrying that if the outside link to isp is down, all the users from internet can not get connected through vpn connection. He wants to have a backup link to internet if the first link is down. But problem is:
How do I configure the backup link to allow incoming vpn connection when the first link is down?
you need to terminate your vpn tunnels to a loopback ip address (cry map map-name local-address lo1 e.g.,), and then you can configure two default routes (one with higher AD pointing to the interface ocnfigured for backup ISP), so that route is used when primary link is down.
Basically, your loopback address will be up all the time, and routing will be done via active ISP.
A permanent solution for link failure b/n your 2611 and the ISP is to have a HSRP standby group. I don't think just by having a loopback address will solve your link failure problem. Rather, have another router connected to the same ISP and enable HSRP Interface tracking so that if the first link goes down, the other can take over; in which case, the IPSec SAs created with the first router will be dropped and new SAs will be created with the second one.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...