I have read the article on building resilient IPsec solution:
http://www.cisco.com/warp/public/cc/so/neso/vpn/vpne/vpne_an.htm
However it seems not to work so good for me. I have 2-2621 access router that I am terminating several remote GRE tunnels into these routers. I am able to have two active GRE tunnels from each access router into each remote location, however I cannot have both active with IPsec. It seems that IPsec does not support load balancing or load sharing.
When I follow this example and watch the debug [debug cry is & ip & en] when I apply it to the interface I still see both tunnels connecting however only one access router is able to encrypt and decrypt [sh cry en conn ac] the other router just says that it encrypts and the remote router just says that encrypts but never decrypts.
I think the problem is that both tunnels want to be active and unencrpted packets are being sent to the remote router it is sending encrypted messages to the truely active access router, while the truely active access router is sending and receiving encrypted messages but the messages it send are getting discarded somehow. Maybe this can be resolved by forcing one tunnel to be active by weighing the routes in EIGRP; that way if it goes down then the other tunnel will go active. What do you folks think?
