Achieving ISP redundancy over an IPSEC VPN connection

mitchen · ‎06-01-2006

Recently, we've been experiencing a number of connectivity problems with our ADSL connected remote sites.

Our set-up uses a Cisco 837 at the remote site, with an IPSEC tunnel built terminating on our PIX515E at our Head Office.

At the remote sites, we would like to get a 2nd ADSL link from an alternative ISP in the hope that a) we could load balance over the links and b) the 2nd link would allow us some resilience and could takeover should the other link fail.

The question is - how can we achieve this with minimal disruption and with as little investment in additional hardware as possible?

Could we buy a 2nd Cisco 837 for the 2nd ADSL link and build an IPSEC tunnel from the PIX to it? We could then use HSRP at the remote site and that would allow one link to take over from the other if it went down. However, how would our PIX know to then route the traffic over the 2nd connection?

And could we perform any load balancing in this set-up?

Or maybe we could buy eg a Cisco 2800 series router with 2 x ADSL WIC cards - one to each ISP. Again, how could we achieve load balancing and failover with this set-up?

Or does anyone have any other recommendations/suggestions on how to achieve this?

Thanks.

thanekamp · ‎06-01-2006

There is no way to acheive load balancing with this configuration. Only one of the tunnels will remain active on the PIX at a time, preventing load balancing.

To configure the PIX to use one link as a backup. simply configure multiple peers within the same crypto map.

mitchen · ‎06-02-2006

Ok, thanks - so I can't achieve load balancing but I could achieve automatic failover to a 2nd ADSL link?

Would this set-up work for automatic failover:

At remote site, 2 x Cisco 837s, with one connected to ADSL link for ISP A and the other connected to ADSL link for ISP B.

I could run HSRP between the Cisco 837s with tracking on the ATM interface to change priority should the ADSL link on ISP A go down. So, any change in the ADSL link being used would be transparent to the users on the remote office LAN - they would use the same default gateway (i.e. the virtual HSRP address)

Then on my head office PIX, i configure everything as previously EXCEPT i now add the peer address of the 2nd Cisco 837 router into my crypto map statement?

So, how does the PIX decide which peer takes priority? Is it just the first one listed in the config? And, should that peer fail, how long would it take to failover to the other peer?

Thanks.

thanekamp · ‎06-02-2006

If you want one device specifically to have lower priority, you will have to create a lower precedence crypto map entry matching the same access list with the secondary peer.

My personal recommendation would just be to use them both in the same crypto map entry, and configure DPD for automatic failover.

http://www.cisco.com/en/US/products/ps6635/products_white_paper09186a00801ee19a.shtml#wp1027254

mitchen · ‎06-02-2006

Ok, thanks, I think that makes sense! So I could have the following set-up:

REMOTE SITE

------------

2 x Cisco 837s running HSRP - one connected to ISP A's ADSL link, the other connected to ISP B's ADSL link

HEAD OFFICE

------------

PIX configured with multiple peers in the crypto map (one for each Cisco 837 at remote site) and using Dead Peer Detection to detect when one goes down.

So - if the ADSL link for ISP A was to go down, the Cisco 837 router using ISP B would take over as active and traffic from the remote LAN would be routed through this.

At the head office, the PIX would use DPD to determine that the ISP A link had gone down (no response from the peer) so would build a tunnel to the other peer instead - the Cisco 837 using ISP B.

And this would therefore give me automatic failover between the ADSL links of 2 different ISPs!

Do I have all that correct?!

Thanks for all the guidance!