VPN Design

saquib.tandel · ‎07-25-2010

Hi

Looking for input

Is it possible to have Two Tunnels from each Spoke to HeadQuarter(hub_site) with one tunnel Active and another tunnel inactive.

It would be GRE over IPSEC ( Eigrp or OSPF )

Spoke_1_Tunnel#1==============HQ_Hub1 ( Active Tunnel )
Spoke_1_Tunnel#2==============HQ_Hub2 ( Inactive Tunnel )

If Link at HQ for Hub#1 is down then Tunnel#2 becomes active and all traffic flows on this tunnel.

initial_design attached

Richard Burts · ‎07-25-2010

ST

Yes, as long as it is 2 different routers at the Headquarters site it is quite possible for the spoke site to configure 2 IPSec/GRE tunnels running EIGRP or OSPF and to use one as primary and the other as a failover. I have configured this for a customer and it is working well.

HTH

Rick

HTH

Rick

saquib.tandel · ‎07-25-2010

Hi Rick

What configuration I would need at HQ and branch to make tunnel 2 as failover ;

I couldnt find similar scenario on cisco sample config, Help with sample config

Sample configuration for (( SPOKE_))

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share

crypto isakmp key cisco address 1.1.1.1
crypto isakmp key cisco address 2.2.2.2

crypto ipsec transform-set Hub_1 esp-3des esp-md5-hmac
crypto ipsec transform-set Hub_2 esp-3des esp-md5-hmac

crypto map VPN2INT 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set Hub_1
match address Hub1

crypto map VPN2INT 11 ipsec-isakmp
set peer 2.2.2.2
set transform-set Hub_2
match address Hub2

interface Tunnel1
ip address 192.168.1.2 255.255.255.252
tunnel source FastEthernet0/1
tunnel destination 1.1.1.1

interface Tunnel2
ip address 192.168.2.2 255.255.255.252
tunnel source FastEthernet0/1
tunnel destination 2.2.2.2

ip access-list extended Hub2
permit gre host 3.3.3.3 host 2.2.2.2

ip access-list extended Hub1
permit gre host 3.3.3.3 host 1.1.1.1

int fa 0/1

ip address 3.3.3.3 255.255.255.255

crypto map VPN2INT

router eigrp 5
network 192.168.2.2 0.0.0.0
network 192.168.1.2 0.0.0.0
network 10.10.100.2 0.0.0.0 ((// connects to backbone switch ))

Latchum Naidu · ‎07-26-2010

Hi,

Are you planning to go for DMVPN's with EIGRP / OSPF protocol running?

Regards,

Naidu.

saquib.tandel · ‎07-26-2010

Hi

Not planning for DMVPN but would prefer to stay with GRE over IPSEC.

Rick any input

Richard Burts · ‎07-27-2010

ST

This config looks pretty good. I have a couple of comments about it:

- the default bandwidth of a GRE tunnel is quite low. this has potential to impact EIGRP. so I generally specify a bandwidth for the GRE tunnel.

- you specify 2 transform sets, but they specify the same transforms. so you only need a single transform set. the same set can be used for both peers.

- this configuration will run EIGRP over both tunnels and will treat them as equal cost paths and will load share (which is not necessarily a bad thing). But your original message described wanting to have a primary and a backup. To achieve this configure an offset list under EIGRP and add something to prefixes advertised over one of the tunnels to make it the backup tunnel (you can either do offset list in and out on the spoke or do offset list in (or out) on both the spoke and the head end routers.

What you need for the Headquarters head end router would be quite similar:

- a single isakmp policy

- a single isakmp key per remote site

- a transform set

- a crypto map instance per remote site

- a GRE tunnel per remote site

- an access list per remote site

- a single crypto map assigned to the interface

- make sure that the tunnel address matches a network statement under EIGRP

HTH

Rick

HTH

Rick