Re: Load-balancing site-to-site VPN

DaveTanKK · ‎06-08-2005

Hi,

I'm trying to connect 2 site with IPSec Site-to-Site VPN using cisco routers. The 2 sites will be connected via 2 provider on 2 separate routers. Load-balancing is one of the requirement.

Can anyone advise me how i can implement this without using GRE over IPSec? Please give me your advise as I relatively new to IPSec.

Philip D'Ath · ‎06-08-2005

GRE over IPSec is the most straight forward way of doing it.

But if you have your heart set on not using GRE, then try using Optimised Edge Routing.

http://www.cisco.com/go/oer

DaveTanKK · ‎06-08-2005

Hi, is there a more straight forward alternative?

Can I run dynamic routing (EIGRP) between Router A-D and IPSec between VPN Router 1 & 2. This way I'll be able to get load sharing over the WAN connection and have IPSec protection at the same time right? Will this work?

RouterA---RouterB

VPN | | VPN

site--Router1-- | | --Router2--Site

A RouterC---RouterD B

DaveTanKK · ‎06-08-2005

Hi, is there a more straight forward alternative?

Can I run dynamic routing (EIGRP) between Router A-D and IPSec between VPN Router 1 & 2. This way I'll be able to get load sharing over the WAN connection and have IPSec protection at the same time right? Will this work?

Refer to attached.

Philip D'Ath · ‎06-08-2005

If the routers are seperated by an ISP, then no. EIGRP requires directly connected links - hence the reason why GRE over IPSec is the best method to achieve what you need.

roluce · ‎06-08-2005

We're currently doing this using GRE. When we started we were passing IPX, Appletalk, IPv4 uni and multicast. At this moment, we're only doing IPv4 and IPv6 unicast and multicast.

It might not seem the "coolest" way to do it, but it's rock solid reliable. Since Cisco added GRE keepalives and CDP support, I'd be hard pressed to do it any other way.

Rob