Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Design of redundant IPSec over GRE question (Routing)

I?m in the process of designing a secondary site-site VPN/GRE for my company so obviously if our primary Internet connection goes down (DS3), our secondary Internet connection (4xT1) would take over until the primary connection is restored.

I?m using two sets of hardware for this. Primary Internet connection A has an outside router that terminates the ISP circuit, the PIX in the middle will terminate the IPSec tunnels, and my inside router will terminate the GRE tunnels. Secondary Internet connection B is setup the same as A above.

Setting up IPSec on my secondary PIX to my remote sites is easy and pose no issues. However, I?m now thinking that when I create the GRE Tunnels on my secondary inside router to my remote sites, OSPF will screw me over in that the advertised path cost to my remote sites will be less through my DS3 causing my GRE traffic to flow through my primary connection and not my secondary connection, where I want this traffic to flow.

Does anyone have any working suggestions as to how I can prevent my secondary GRE Tunnel traffic from following the primary path, outside of adding static routes at each end?

Can anyone share with me hw this is accomplished in your business?



Hall of Fame Super Gold

Re: Design of redundant IPSec over GRE question (Routing)


I do not understand your question very well. As I understand your post you intend to have some remote sites with a primary connection and a backup connection. Both connections will be IPSec VPNs with GRE tunnels. You will run a dynamic routing protocol over the GRE tunnels. I have done an implementation pretty similar (except mine terminates the IPSec on a router instead of a PIX, and the router that terminates the IPSec is also the end point of the GRE tunnel, and I run EIGRP instead of OSPF).

What I do not understand is your comment about the secondary GRE tunnel traffic following the primary path. I am not sure whether you are talking about the flow of data traffic or the flow of routing protocol traffic.

I believe that this is what happens:

- when you configure the GRE tunnels (which operate like point to point connections) you assign an IP subnet to each tunnel.

- you configure OSPF on each tunnel. OSPF forms neighbor relationships on each tunnel. The OSPF HELLO messages for each tunnel flow only over that tunnel.

- the remote site advertises its resources over both OSPF tunnel interfaces. The routes advertised through the primary tunnel should be more attractive since they will have only the cost through the tunnel while the routes advertised through the secondary tunnel will have the cost through the tunnel plus the cost from the secondary site to the primary site. If that is not the case then you may need to increase the cost on the secondary tunnel.

- I assume that the primary site and the secondary site will advertise the same resources to the remote. The tunnel from primary should be more atractive since its metric is only the cost through the tunnel while the metric through the secondary tunnel is the tunnel cost plus the cost from primary to secondary. If not you may need to increase the cost on the secondary tunnel.

If there is a failure of the primary DS3 link then the OSPF advertisements through that tunnel will stop. OSPF will converge and all traffic will flow through the secondary tunnel.

If I have not understood something then you can clarify it.



Community Member

Re: Design of redundant IPSec over GRE question (Routing)

Hi Rick,

My concern is within your first bulleted item. I'm concerned that when I confgure my GRE interfaces, you need to supply a destination address. If this destination address is found within the current OSPF routing table, my thought is that the packet will initiate through the primary DS3. My concern is the initial connection. The traffic can be controled with the path cost.



Re: Design of redundant IPSec over GRE question (Routing)


Filter, with distribute list, the GRE source/destination address from being learnt via the primary DS-3 link.

You can't filter OSPF LSA's outbound, hence, configure a distribute list and apply it inbound to filter the GRE destination address from being learnt via the DS-3 interface.

router ospf 1

distribute-list 5 in (ds3_interface)

access-list 5 deny host (gre_destination_addr)

access-list 5 permit any



Hall of Fame Super Gold

Re: Design of redundant IPSec over GRE question (Routing)


In my experience with GRE tunnels any time that the tunnel destination may be learned through a dynamic routing protocol you have a potential issue with recursive routing. You need to make sure that the router has a route to the tunnel destination independent of - and more attractive than - the dynamic routing protocol.

In the implementation that I did I configure /32 static routes on both ends for the tunnel destination that assure that the router will route to the tunnel destination independent of the dynamic routing protocol. That has worked well for me.



CreatePlease to create content