Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
284
Views
0
Helpful
3
Replies

Advertising tunnel upness to EIGRP from CVPN or PIX

mmedwid
Level 3
Level 3

‎05-09-2005 11:42 AM - edited ‎02-21-2020 12:07 AM

Most of our WAN uses EIGRP for routing. Up to now most of the connectivity to our major sites has been primarily via PTP circuits with LAN to LAN IPsec VPN tunnels serving as backup - either via CVPN 3000 to CVPN 3000 or CVPN 3000 to a Pix of some sort. I put in floating static routes with a higher metric so if a WAN circuit goes down the floating static points the traffic to the CVPN concentrator and the tunnel comes up. Works like a champ.

But now I want to do the opposite. I have two sites with big pipe (each with two DS3s) and I want the VPN to be primary and the WAN to be secondary.

But how can EIGRP be best notified in the event that the tunnel goes down?

One way I thought of was to create a GRE tunnel terminated at the WAN router inside the CVPN of each side. If the CVPN-CVPN IPsec tunnel went down - the GRE tunnel interface would go down and then the (artificially weighted higher) WAN circuit could kick in. But then I have wondered if GRE inside of IPsec might not be the best mechanism.

Anyone have some other ideas to get the CVPN-CVPN tunnels to play into EIGRP routing?

0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎05-10-2005 12:25 PM

I have implemented something very similar to what you describe for a customer. We support multiple remote sites over IPSec VPN with a backup strategy. We chose to use IPSec VPN with GRE tunnels over the Internet connection so that we can run EIGRP. (Without the GRE tunnel you can not run a dynamic routing protocol over IPSec) As long as the IPSec/GRE tunnel is up EIGRP advertises routes. And if the IPSec/GRE tunnel has a failure the EIGRP converges and drops the routes and floating statics can direct traffic to the backup.

This has worked well for us and meets our needs. It sounds like it would also meet your needs.

HTH

Rick

HTH

Rick
0 Helpful

mmedwid
Level 3
Level 3
In response to Richard Burts

‎05-10-2005 03:37 PM

Thanks for the vote of confidence on the GRE over IPsec. We had some concern about the double encapsulation possibly impacting performance. But it sounds like that hasn't been a problem.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to mmedwid

‎05-11-2005 06:42 AM

The double encapsulation has not been an issue for us. We do provision the optional hardware VPN accelerator in the routers that process this. If you are concerned about processing overhead I would suggest that you provision the accelerator in your routers.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card