How to configure Dual VPN

irshad.saifi · ‎01-13-2005

Hi All,

I have 3745 Router where 2 ISP'S are connected.

I am using this router for VPN also. At the remote site my customer is using VPN Concentrator.

I want the automatic switchover ofincase one ISP goes down.

Please help me out to complete my query.

Thanks

Irshad

ehirsel · ‎01-13-2005

How do you have your 3745 configured now? Is the ipsec crypto map applied on only one ISP interface or do you have sperate maps applied to both? If applied to both, are you using the same local-address value, or two different ones on the crypto maps.

With regards to your customer: Are they using a different provider, or is it the same as one of yours? The reason I ask is that if you both have a provider in question, then there is the risk that that provider has a failure that will block any connections to/from the customer.

If there is no provider in common, and you use seperate ip addresses on your 3745 for the crypto maps (one for each provider), then on the customer end you need to define two peers on its crypto ipsec config: the addresses used on your 3745 crypto local-address statements.

irshad.saifi · ‎01-14-2005

I am using Crypto map and it's configured on both interface. two different ISP'S are connected to interfaces at my end as well as at my client end.

I have defined two peer ip's in ipsec and my customer also.

Incase one isp goes down i do change the natting on my pix.

Basically i have asked my client to open two different ip's. I have given him two ip's from each isp.

Whenever i can send the traffic from any of the isp.

In this scenerio i have to change the traffic in my pix manually basically changing the NAT.

What happens if i don't want to nat here and want the dynamic changeover and set the priority like primary and secondary...

I hope you are getting my scenerio.

Thanks

Irshad

pkapoor · ‎01-14-2005

Post us a network topology diagram to see how your router and PIX lie in relation to each other.

I think you are trying to achieve what I have setup on one of my networks.

vcjones · ‎01-14-2005

If you have a router at the VPN3000 end, it is easy to do by defining two GRE tunnels, one for each VPN, and running a routing protocol across both to detect which is working. The configuration is a little tricky in that you need to make sure that all addresses chosen will work to move GRE traffic across only the correct VPN tunnel, but is otherwise pretty standard.

For other ideas, see the two redundant VPN configuration examples explained in a white paper on my web site.

Good luck and have fun!

Vincent C Jones

www.networkingunlimited.com

ehirsel · ‎01-14-2005

If possible, try not to NAT for the VPN connections, to reduce the manual intervention in case a provider were to fail. This will also ease the config on both ends. Let me know if you do have a need for NAT - if that is the case is there a common router behind the pix units that all traffic flows thru?

With regards to primary and secondary, how is the current provider setup accomplished? Do you have the same bandwidth provisioned on both providers? Or is one only to act as a secondary with minimal monthly charge until a certain traffic threshold is ecxeeded?