08-04-2004 10:57 AM - edited 02-21-2020 01:16 PM
Is it possible to set up VPN/IPSEC where the main pop router has two points of entry into an MPLS cloud and about 50 other pop and somehow automatically load balance the VPN traffic from the main pop over two Ethernet interfaces. If the main pop has two equal cost paths to the MPLS cloud and one applies the same crypto map to both interfaces, will encrypted traffic be sent over each one of the links.
P.S. We're using a 6509 and VPN service Module blade at the main pop and 2621 with AIM module everywhere else.
08-10-2004 11:42 AM
What you are facing is a routing issue. The problem boils down to routing the traffic to the interfaces in a 50-50 ratio. For that you have a number of options such as static routes and policy routing.
08-10-2004 03:49 PM
I can see your point, but what happen if one of the point of entry fails? I would like to get all the IPSEC tunnel to get recreated on the other point of entry and go back to what it was when the link comes back online.
Somebody suggested creating two GRE/IPSEC tunnels from each of the 50 routers. These two tunnels would terminate on each of the two interfaces of the hub router. Both tunnels would remain up all the time.
Using routing to make the tunnel terminate on the hub router's first interface as primary for the first 25 routers. Then make the tunnel terminate on the second interface as primary for the last 25.
This way if one of the interface of the hub goes down then other tunnel would take all the traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide