2 wan links, pix-vpn tunnel, and rtr-vpn tunnel

john.shin · ‎09-01-2004

What are some of your setups where:

We are using eigrp over the rtr vpn tunnel.

But would like the pix-vpn tunnel as backup.

Currently we have 1 static cmd, forcing traffic

over the rtr-vpn. What offers the best redundancy

and some sort of self traffic re-direction in

event 1 link fails?

aacole · ‎09-03-2004

John,

You can do this by using eigrp. If eigrp is working over the current VPN link I take it that you are using IPSec encrypted gre?

If you have a eigrp neighbour relationship over this link you dont need a static as well. What you do is use a floating static link on the core vpn router, so when the routes learnt via eigrp drop out of the ip route table the floating static route activates.

This route points the traffic to the PIX firewall.

You need to set up a VPN over the firewall.

At the remote router you have another floating static route that points traffic to the outside PIX interface if the eigrp learnt route fails.

Hope that is clear, if you need more help let me know.

Andy

vcjones · ‎09-04-2004

There are several ways to approach this requirement. Two are explained in the redundant IPSec white paper on my web site. The trick is you need three things for reliable redundancy:

1 - The ability to detect a failure (e.g., a conventional routing protocol like EIGRP or OSPF through a GRE tunnel, or BGP or SAA directly over the IPSec tunnel)

2 - The ability to change the route used when failures are detected (route metrics from the routing protocol, if any, or floating statics).

3 - Diversity so that the failure which wipes out your primary line does not also take out your backup line.

While these may seem obvious, the mechanism to achieve them is not always straightforward.

Good luck and have fun!

Vincent C Jones

www.networkingunlimited.com