Loadbalancing IPSec VPN on IOS Router

Frank Hobrecht · ‎12-08-2012

Hello,

we are planning to connect a 2921 ISR G2 on a branch site using 3 ADSL lines of different ISPs.

The goal is to load balance the lines in order to gain more bandwith and have some redundancy
if one of the links fails. So far, so good.

The branch site needs to be connected to a central site (Cisco 2921 ISR G2 as well) via an IPSec
VPN configuration.

Since the branch router with it´s 3 ADSL lines will have 3 different public IP Addresses, and an IPSec

tunnel usually has only one endpoint IP address configured, my question know is:

Is there a way the IPSec tunnel can make use of the loadbalanced configuration of the branch router
or in other words use all of the 3 lines? I thought aboút configuring all the external IP addresses of the
branch router in the crypto map of the central router, and bind the crypto map of the branch router to
all outgoing interfaces, but how is the loadbalancing (if possible) being controlled?

Many thanks for some hints!

Marcin Latosiewicz · ‎12-08-2012

Frank,

If both sides are to use Cisco devices, you can use VTI configuration and have three separate tunnels on all the time.

You can use routing protocol to balance the load the way you want it (BGP would be the way to go normally, or EIGRP).

What you'd need to do is pack the the ISPs into separte VRFs (tunnel vrf), the "primary" ISP can still be in global.

M.