VPN session load-balancing

apriore685 · ‎04-19-2004

Hello all

I have an upcomming project that will need to have load-balancing and failover for IPSEC the sites are in Indaina and NJ. In NJ there will be 1 router that will support Indiana. In Indiana there are 2 1700 routers that have different ISP connections. If I setup HSRP between them I can have 1 GRE tunnel for the 192.168.x.x network on one 1700 and 1 GRE tunnel to the other 1700 router for the 10.10.x.x network. Is there a way to have session load balancing between them so both routers can equally balance the traffic?

Thanks

Anthony

ehirsel · ‎04-20-2004

If you want to load balance the traffic on the isp side, you need to get with your providers on how to best achieve that. The issues there involve whether your org. owns a IANA assigned ip address space and maybe a BGP autonomous system id.

With the IPSec connections, you can tie hspr groups with ipsec crypto maps in ios 12.2t, and 12.3 code, but usually that is a failover, not a load balance mechanism. The idea of having one gre tunnel to one net on one router, and the other net on the other router will give you load-balancing, but not failover. Instead I would add ospf to the config and advertise the same nets to both routers, using different metrics. That will achive both your load balancing and failover goals. I would remove HSRP because all traffic will be directed to the active router; ospf and gre by themselves will accomplish your goals. HSRP can defeat them and it adds complexity to the mix.

I hope this helps.