Re: Configuring secondary interfaces for GRE/IPSec tunnels

JUSTIN LOUCKS · ‎09-08-2005

I have a successful implementation of IPSec encrypted GRE tunnels with EIGRP. I do split tunneling at all of the remote sites, sending only corporate/private traffic back over the tunnel interface and performing NAT on all public bound traffic to the 'outside' interface. I am now trying to add an additional connection to one of my locations as a backup to the Internet. What is the best way to do this?

I have thought about just creating a second tunnel on the router that uses the secondary public interface as the source and then modifying the routing metrics to have it be a less desirable route than the primary tunnel. I'm unsure how to handle the NAT translation though as I use the 'ip nat' command to overload the primary external interface and do not know if/how you can include a 2nd interface in this sort of configuration.

(for example, Serial0/0 is my primary/preferred internet facing interface and my NAT is setup to use the following command -- ip nat inside source route-map nonat interface Serial0/0 overload')

I would greatly appreciate any feedback/suggestions on this topic.

zkalwar123 · ‎09-08-2005

create another access list for you local LAN and create another NAT statment with secondary interface as an overload. Configure the two default routes one with low cost through primary interface next hop and high cost route through secondary interface next hop.

Create another Tunnel interface and consfigure it as a backup interface for primary GRE tunnel Interface and configure the keepalive interface. As soon as you loose you primary link. the second default route will kick in and your primary GRE tunnel interface will down and the secondary tunel interface will become active. Please configure the keepalives under tunnel interface.

Kind Regards

Zahid A. Kalwar