cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1392
Views
5
Helpful
3
Replies

IPSec Tunnel as a Backup Path

mdamato
Level 1
Level 1

Hi,

   Below is my current network setup.

{ INTERNET_1 }======== IPSec Tunnel ========{ INTERNET_2 }

    |                                              |

    |                                              |

[ASA_1]---[ DMZ_1]                 [ DMZ_2 ]---[ASA_2]

    |                                              |

    |                                              |

    |                                              |

[L3_SW_1]------------- 1 Gb Fiber -------------[ L3_SW_2 ]

OSPF and static routing is used on L3_SW_1 and L3_SW_2, while static routing is only used on ASA_1 and ASA_2. How can I use the IPSec Tunnel configured on the ASA's as a backup path in case the fiber link goes down? I would like to avoid using OSPF on ASA's as per security recommendations, however is this possible? I'm having trouble coming up with the proper routing to do this. L3_SW_1 has 2 static routes, one for the internet and one for the DMZ_1 and ASA_1 has static routes for packets destined to go back to L3_SW_1, so I find myself in a loop when trying to add a second route on L3_SW_1 to ASA_1 since ASA_1 has a static route to go back to L3_SW_1. Any recommendations would be much appreciated. Thank you

-- Matteo

1 Accepted Solution

Accepted Solutions

That is the basic requirement for any dynamic routing protocol, you will also have recursive routing.  The tunnel endpoints MUST not be advertised into any routing protocol, they MUST be static or you can never 100% say the path the tunnel will take.  With statics, you will know it will always be via the IPSEC VPN.  Then you can run the OPSF "inside" the GRE tunnel with no issues.

View solution in original post

3 Replies 3

andrew.prince
Level 10
Level 10

Create a GRE tunnel from L3_SW_1 to L3_SW_2 that traverses the IPSEC tunnel.  The source and destinations for the GRE tunnel are 2 x /32 Loopback interfaces, that are statically routed to the ASA's.

You can run any dynamic routing protocol over the 1 GB fibre and the GRE tunnel as backup.  You just amend the route metrics for whichever routing protocol you use.  I do this using OSPF/EIGRP in a 250+ site network.

HTH>

Thanks Andrew, I will try what you said.

I did try the example here

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml

but everytime I would publish the Loopbacks in OSPF it would tunnel over the fiber since it would learn about the other side. So I guess  2 x loopbacks per L3_SW  should not be published in OSPF and only create a static routes to the ASA like you said.

--Matteo

That is the basic requirement for any dynamic routing protocol, you will also have recursive routing.  The tunnel endpoints MUST not be advertised into any routing protocol, they MUST be static or you can never 100% say the path the tunnel will take.  With statics, you will know it will always be via the IPSEC VPN.  Then you can run the OPSF "inside" the GRE tunnel with no issues.

Review Cisco Networking for a $25 gift card