Solved: How could I setup redundant VPN from branches to HQ which has dual ISP?

Ilya Semenov · ‎08-24-2017

Hello, everybody!

I have to redesign customer's network and provide a complete solution. The customer has 5 branches (1 ISP in each) and HQ where 2 ISP exist.

They want to have redundant VPNs to branches if active ISP in HQ failed. This is not a DMVPN solution, so there are no links between branches.

I think about ISR4351 in HQ and 4321 in branches. But may be ASAs everywhere would be suitable?

The most difficult point of my consideration is how to switch VPN tunnels in case of 1st ISP fails?

On HQ site I coud set "tunnel source " to loopback address, but what should I set on branches as "tunnel destionation" adressess?

Please, share your ideas,

many thanks in advance,

Ilya

UPDATE:

I've found an article which may provide the solution in my case, but it is for ASAs:

https://networkology.net/2013/03/08/site-to-site-vpn-with-dual-isp-for-backup-redundancy/

Rob Ingram · ‎08-24-2017

Hi Ilya,

Yes you can do this with the ISRs. You could use either FlexVPN or DMVPN, they'd both achieve redundant connections to 2 x Hubs, just in slightly different ways.

I've included an part of an example for FlexVPN client configuration to answer your question regarding the tunnel destination. In this example, the FlexVPN spoke would use IP SLA to track the 1st Hub if that fails it will then connect to the 2nd Hub. The configuration defined on the tunnel interface is to select a dynamic destination.

crypto ikev2 client flexvpn FLEX_CLIENT
peer 1 1.1.1.1 track 1
peer 2 2.2.2.1 track 2
peer reactivate
client connect tunnel0
connect auto

interface tunnel 0
tunnel destination dynamic

HTH

View solution in original post

Rob Ingram · ‎08-24-2017

Hi Ilya,

Yes you can do this with the ISRs. You could use either FlexVPN or DMVPN, they'd both achieve redundant connections to 2 x Hubs, just in slightly different ways.

I've included an part of an example for FlexVPN client configuration to answer your question regarding the tunnel destination. In this example, the FlexVPN spoke would use IP SLA to track the 1st Hub if that fails it will then connect to the 2nd Hub. The configuration defined on the tunnel interface is to select a dynamic destination.

crypto ikev2 client flexvpn FLEX_CLIENT
peer 1 1.1.1.1 track 1
peer 2 2.2.2.1 track 2
peer reactivate
client connect tunnel0
connect auto

interface tunnel 0
tunnel destination dynamic

HTH

Ilya Semenov · ‎08-24-2017

Hello, RJI!

Many thanks for your reply!

Could you please tell me, what is the preferred hardware for this topology/configuration: ISRs or ASAs?

ISRs requires SEC/HSEC license for FlexVPN - it's about +$5K in my case. ASA doesn't support FlexVPN at all.

Thanks.

Rob Ingram · ‎08-24-2017

Hi Ilya,

I personally would deploy either a FlexVPN or DMVPN solution for all site-to-site VPN solutions. Both solutions require less configuration and you can easily add additional spokes without having to reconfigure the hubs. This is extremely useful in large deployments, maybe less so in your situation. In addition the spokes can dynamically create a spoke-to-spoke tunnel (if required).

Unfortunately I don't have much recent experience with deploying a similar solution using ASAs, but I know you can configure an ASA VPN with a backup VPN tunnel. Which will give you what you need.

The ISR's with a FlexVPN would require a security license, it would only require an HSEC license if the bandwidth exceeds 85Mbps.

HTH