VPN redundant design

Brunhuber Adrian · ‎04-03-2012

Hi ,

I would like to implement at a customer a redundant VPN design .

The situation goes like this

Branch office . 1 ISP line - 1 Router

Headquarters - 2 ISP lines - 1 Router

( I usualy have 2 ISP in the branch and 2 Routers in the HQ and provide tunnel redundancy with OSPF but the customer in this case doesn`t have the resources )

How is the best aproach ?

Thanks

david.tran · ‎04-03-2012

There is a very simple solution to this. Here it is:

- on the branch router side:

1) your configuration is a very straight forward IPSec tunnel, nothing special.

- on the HQ router side:

1) assign loopback0 with a public IP address that is reachable over the Internet,

2) configure eBGP on the HQ routers with ISP1 and ISP2 and advertise loopback0 to them. This again is also a simple task. Take a look at http://wiki.imagestream.com/wiki/BGP/Examples/Example_1:One_router_with_two_peers

3) configure IPSec on the HQ router, again this is a very straight forward IPSec configuration with one exception. You need to add the command "crypto map local-address loopback0" or something to that effect. That will source the IPSec peering point from the loopback interface. After that, go ahead and apply the "crypto map vpn" both physical interfaces facing ISP1 and ISP2 on the HQ router.

Once you've confirmed that VPN is up and running between branch and HQ, go ahead and "admin" down one of the eBGP peers on either ISP1 or ISP2 on the HQ router and your VPN tunnel will NOT go down because your loopback 0 interface is still reachable by the branch router.

Easy right?

Brunhuber Adrian · ‎04-03-2012

Hi ,thanks for your answer ,

Easy if the client had BGP connections , but we are talking about standard ISP connections , one fixed IP per ISP , two different ISP`s.

sean_evershed · ‎04-04-2012

Hi,

On the branch router have you tried confiuring two peers under your crypto map?

One is configured as the preferred peer and the other backup.

For example

crypto map XYZ 10 ipsec-isakmp

set transform-set ABC

set peer 10.1.1.1 prefer

set peer 10.1.1.2

match address 101

david.tran · ‎04-04-2012

Since BGP is not an option for you. Here is another option to think about:

on the branch router:

create loopback0 with a public IP address

create loopback1 with a public IP address

On the HQ router:

create loopback0 with a public IP address

static route for branch router loopback0 with next hop of ISP1

static route for branch router loopback1 with next hop of ISP2

on the branch router:

create a GRE tunnel between branch router lo0 and HQ router loopback0

create a GRE tunnel between branch router lo1 and HQ router loopback0

Now encapsulate GRE inside with your IPsec

Now run ospf inside the GRE tunnel

On the HQ router:

create a GRE tunnel between HQ router lo0 and branch router using loopback0

create a GRE tunnel between HQ router lo0 and branch router using loopback1

now encapsulate GRE inside your IPSec tunnel

Now run OSPF inside the GRE tunnel

Now you have multiple VPN tunnels between branch router and HQ. shutdown either

ISP1 or ISP2 will have NO impact for connecivity between branch router and HQ.