11-11-2013 12:57 AM - edited 03-07-2019 04:32 PM
In a customer network I tried to create multiple VPN tunnels between two sites with one router at each site.
At site A the router has two interfaces to two different ISPs with a static public ip address for each interface.
At site B the router has two interfaces to two different ISPs with a dynamic public ip address for each interface.
The plan was to have four VPN tunnels (full meshed between all four interfaces) for redundancy purpose.
Every VPN tunnel will have a different ip nhrp network-id.
Unfortunately I had no chance to test this scenario in a lab.
Question: Is the wanted solution supported by DMVPN? (Multiple tunnels on one router using DMVPN)
Martin Funke
K&K Networks
Solved! Go to Solution.
11-11-2013 08:25 PM
Hi Martin,
I should have been more clear when I suggested Public IP address. Yes, you need to own those Public IP address and also an AS number.
Regards,
Smitesh
11-11-2013 01:05 AM
Hi Martin,
If you have only 2 sites A and B, then why you want to build 4 VPN tunnels, when only one can solve your requirement,
The concept would be your will build tunnel on loopback interface and will have two static routes in routing table out of which one will be floating. So even if one ISP fails, your VPN tunnel will be still UP.
Regards,
Smitesh
11-11-2013 02:56 AM
Hi Smitesh,
Thanks for your answer.
Sounds easy. But for that solution I need public ip addresses on the loopback interfaces of each router (site), don't I?
Actually all 4 interfaces are connected to 4 different ISPs - means (correct me if I am wrong) the routing in the internet may be a problem (provider 2 will not route the public ip address of provider 1, when the interface to provider 1 is down).
Best regards,
Martin.
11-11-2013 03:44 AM
Hi Martin,
Correct that you need Public IP address, but only at one site; other location can work on dynamic IP address. Look for IPSEC with dynamic IP addresses
And as far as your second concern goes, if you got normal internet circuit at your site, it should not be the issue; as every ISP is bound to connect ( either directly or indirectly to each other; it is the way how internet works.. )
Also, would point one more thing is DMVPN is generally deployed where you want to many sites and reduce the number of VPN tunnels, you deploy Hub and Spoke Model; but still maintaining the Site-to-Site communication.
Regards,
Smitesh
PS: Please rate helpful posts.
11-11-2013 05:21 AM
Hi Smitesh,
here my understanding so far: When I create a lookback interface with a public ip address assigned by provider 1, this ip address will be routed from the internet to provider 1 because it is a subnet of the network of provider 1. When my circuit to provider 1 is down, the ip traffic to this (provider 1) ip address will still go to provider 1 and will be dropped there because my subnet (ip addresses from provider 1) is no longer reachable. No other provider will route the packet to my 2nd provider, because he is not the owner of the provider 1 ip address (subnet).
IMHO that problem can be only solved by an provider independend public ip address on the loopback interface which is routed by both (primary and secondary) providers (but this solution is out of scope because it is too expensive).
Am I wrong?
Best regards,
Martin.
11-11-2013 08:25 PM
Hi Martin,
I should have been more clear when I suggested Public IP address. Yes, you need to own those Public IP address and also an AS number.
Regards,
Smitesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide