I agree with John that a dynamic routing protocol (whichever one the rest of your network uses) running over GRE tunnels in conjunction with IPSec is the better answer. MBGP is a complexity that you do not need.

I have done a project for a customer where we run EIGRP over GRE tunnels with IPSec VPN to support multiple remote sites. It works very well for us. And if you have subsites I think it would be ideal for supporting them.

While there are some complexities in doing the configuration, if you look at it as a series of components then it becomes easier to grasp. You configure GRE tunnels in the standard way (tunnel source, tunnel destination, tunnel IP address). You configure IPSec VPN in pretty much the standard way(crypto isakmp policy, crypto keys, crypto transform set, crypto map). You enable the routing protocol on the tunnel interface.

There are a few complexities to be aware of: the access list used by the crypto map only has to permit traffic with source address and destination address of the tunnel end points; in some versions of the software the crypto map needs to be configured both on the outbound physical interface and on the tunnel interface, while in recent software it no longer needs to be on the tunnel interface;in traditional GRE tunnels the tunnel will be up/up as long as the router has a viable route to the tunnel end point (up/up does not necessarily mean that the tunnel is working) and Cisco has recently introducec a feature of GRE keepalive which will check the tunnel operation and will force the tunnel protocol down if it is not passing traffic successfully).

Good luck with your project.

HTH

Rick

Rick, thanks for your response.

I guess most of you guys agree that GRE/IPsec would be a good solution.

I got another complication with this issue :-)

We are using Orbital devices to accelerate our TCP connections. These devices will not accelerate any packets with i.e GRE encapsulation (or similar). My goal is therefore to make all the routing stuff go inside the tunnel, while ordinary traffic (i.e FTP should go outside of the tunnel. Is it possible to do this with i.e route-maps etc.

Thomas

The direct answer to the question that you ask is that yes you could do Policy Based Routing and specify that FTP and any other TCP based applications that you need would go outside the tunnel. But I do not think that you want to do this.

To make that approach work you would need to supply route information separate from what you learn through the tunnel about how to get to the destinations. And why would you want to run the routing protocol is you were going to override it for your key applications?

I am not familiar with the Orbital devices but I have done some work for a customer on a project that I suspect is similar. This project is for a satellite based connection that has IPSec and GRE tunnels. It has TCP accelerators on both ends of the connection. What we did was to put the accelerator between the traffic source and the VPN router. So the traffic (FTP or whatever) goes from the source to the accelerator which does its thing, and then to the IPSec/GRE router which encapsulates the accelerated traffic and transmits it over the satellite. At the other end the traffic comes to the IPSec/GRE router which de-encapsulates, and passes the traffic to the accelerator which does its thing and passes the traffic to the ultimate destination. Would an approach like that work for you?

HTH

Rick