High Availability IPSEC Router

mikedelafield · ‎11-15-2011

What level or model of Routers would be required to deliver redundant IPSEC services for up to 1000 connections.....

I would like to setup 2 routers in failover (or active / active) to terminate these connections

Anyone tried this before?

Any ideas?

chaitu_kranthi · ‎11-16-2011

Hi Mike,

It would be good to use ASA firewalls instead of Cisco router when there are 1000+ connections.

But i am attaching the list of the IPsec Connection support in router and ASA. Choose as per your companies budget.

Hope this may help you for better understanding.

david.tran · ‎11-16-2011

cost aside, there are several things you need to consider before deciding the correct platforms between ASA and IOS routers:

1- Are you going to use GRE/IPSec in the future? If the answer is yes, then ASA can not do that,

2- Are you going to use either getVPN or DMVPN? if the answer is yes, then ASA can not do that,

3- Are you going to use VTI in the future? if the answer is yes, then ASA can not do that,

4- Are you going to do some kind of load balancing traffics over VPN such as dual ISP? if the answer is yes, then ASA can not do that,

5- Are you going to implement QoS on top of VPN? If the answer is yes, then ASA can not do that,

7- Are you going to be implenment complex routing in addition to VPN? If the answer is yes, then ASA can not do that.

On the other hand, if your VPN setup is a very simple one and you don't think it will change much in the future, then go with ASA. Also keep in mind that with ASA Active/Active, lan-2-lan VPN will not work even though I keep hearing from Cisco that newer code release from Cisco (code name spiker), the ASA will support VPN in active/active mode