IPSec configuration in active active mode

ranjit123 · ‎09-12-2011

Dear All,

At presently we have 1 core IPSec router where all the branch traffic is terminated and its the entry and exit point for all the traffic traversing the Data center. We need to implement 1 more IPSec core router which we need to plan in Active Active mode

that is some regions traffic will be primary for 1 router and some regions traffic will be secondary on the 2'nd router and vice versa for fall back and redundancy.

How can this be done also how can the routers decide internaly which router is intended to create the IPSec tunnel for the return traffic to the branches.

Kindly Guide me.

Regards,

Ranjit

Edison Ortiz · ‎09-12-2011

If the transit path is all private network (MPLS or P2P), you can use GETVPN to simplify your IPSec peering configuration and also have an unified policy management.

Which router to choose from the branches to the DC can be handled with any routing protocol

ranjit123 · ‎09-12-2011

Dear Edison,

Initially Thanks for your reply

I want to make both the IPSec routers active active and want to load balanace traffic

please can you update any cisco document regarding the same

Regards,

Ranjit

Edison Ortiz · ‎09-13-2011

Ranjit,

The traffic load-balancing won't be done with IPSec but with a routing protocol.

You can have multiple IPSec Peers active in a router. This is a standard configuration.

If you want to read more about GETVPN, please refer to the documentation:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_encrypt_trns_vpn_ps6441_TSD_Products_Configuration_Guide_Chapter.html