Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Redundant VPN?

Hi all,

Tried to post a similar question a few days ago but I don't think it went through. I have an ASA5510, also have a 2851 with 3 multilinked T1's, and a T1 from a separate provider on a 1700. What I would like to do is have the extra T1 as a failover for the multilinked T1's in the (unfortunately rather common) case that they go down.

From what I've read I could do this simply by having the extra T1 on a separate interface and adding an ip route 0.0.0.0 0.0.0.0 with that IP and a higher priority.

However, I also run a vpn tunnel to our datacenter, and I would like this to failover as well on the backup T1.

From what I've read it seems possible to do this with a loopback interface, though I have no clue how to set that up.

Any assistance is much appreciated!

Thanks,

Dan

5 REPLIES
Hall of Fame Super Silver

Re: Redundant VPN?

Hello Dan,

you should need to do the following:

use GRE tunnels inside IPSec

you build two GRE tunnels : the first travel inside the primary link/IPSec SA, the second inside the secondary link /IPSec SA

the two IPSec SA need to use different IP endpoints.

Using GRE allow you to run a routing protocol inside the tunnels so that a router inside the ASA can use the secondary GRE when the adjacency (typically EIGRP or OSPF are used).

But this would work if there is another router internal to ASA.

However you need two different IP endpoints: one the current one that is routable via primary ISP on the 3T1 bundle, the second that is routable via the backup T1.

The devices that could this job better are the two external routers themselves if they have a common segment they could run the same routing protocol used over the GRE tunnels.

In this way the ASA would be just the firewall with no involvement in routing.

I'm not an expert on ASA so my suggestions are more router focused.

Hope to help

Giuseppe

New Member

Re: Redundant VPN?

Giuseppe,

Thanks for the help. Not quite sure I get it though. I found the following article, which unfortunately doesn't make complete sense to me, but at least the concept seems right. Could I do it this way?

http://www.wr-mem.com/?p=113

Thanks,

Dan

Hall of Fame Super Silver

Re: Redundant VPN?

Hello Dan,

the article explains a possible setup when the border router connecting to two ISPs is only one.

In your case the routers connecting to the two ISPs are different.

You can think to adapt the example using the ASA.

But you need two different endpoints on the ASA side that are routed via the two different ISPs so that the two IPSec SAs can stay up.

Then you need also a way to use the primary until is up.

This is the reason for the suggested GRE tunnels: to have a logical object that can be the next-hop/outgoing interface for traffic, the IPsec crypto is more like an ACL then an interface.

Hope to help

Giuseppe

New Member

Re: Redundant VPN?

Giuseppe,

Thanks again for your help. Unfortunately I'm not familiar with GRE, barely with making an IPSec tunnel. Seems if I am going to do this I have some reading to do to catch up on it.

So I could not just have two seperate IPSec tunnels going between the two ASA's? That way I could even load balance maybe?

Thanks again for the help.

Dan

Hall of Fame Super Silver

Re: Redundant VPN?

Hello Dan,

the problem of an IPSec only solution is the lack of routing control:

think of IPSec crypto map as equivalent to ACLs : they define what is the interesting traffic to be encrypted.

The interesting traffic is that between internal LAN ip subnets:

you can build a solution where first IPSec SA is used until it is alive. I don't think you can achieve load balancing:

traffic is encrypted over the first IPSec SA and the other one can be up but idle.

If the first SA is broken, you can probably achieve failover over the second SA.

The GRE tunnels allow to have an interface that can be referenced in a routing table and so you can even achieve load-balancing if desired.

But I don't know if ASA can do this.

I see that ASA can be smarter then routers in managing IPSec tunnels : ASA has the concept of tunnel groups.

see

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpngrp.html#wp1113843

see the section

"Configuring LAN-to-LAN Connection Profiles"

But I'm not sure this looks like just to make easy configuration tasks

Hope to help

Giuseppe

135
Views
0
Helpful
5
Replies