PIX or Router VPN redundancy possible?

tkpsimon · ‎05-06-2003

Just wondering, i have two ISP for my office with an Amplifer(load balancing) in front of the whole network, and all the branch offices are connect through a LAN 2 LAN tunnel, with either PIX or router.

Is it possible to program either PIX or Router to switch using different ISP for VPN tunnel establishment? So, in case one ISP goes down, i can still have VPN tunnel using the other ISP.

any tips or suggestion would be really appreciate! thanks in advance

ovt · ‎05-07-2003

There are several ways to do this:

- run BGP between ISP and your router (not possible with PIX);

- run GRE/IPSec between your routers (not possible with PIX);

- use IKE keepalives (PIX/routers) and 2 "set peer" - works for simple topologies;

- etc.

The actual problem with cisco devices is how local LAN PCs will switch over

to the router with an actve IPSec tunnel after the tunnel switchover.

Oleg Tipisov,

REDCENTER,

Moscow

mnaveen · ‎05-21-2003

Hi Simon,

A simple solution to your problem would be to have one more router as stand-by router and use HSRP Interface tracking to track if the link goes down.

The setup should like this. One Active router connected to ISP-1 and the standby router connected to ISP-2. If the link b/n the active router and the ISP-1 goes down, then the standby router will takeover. The active router would redirect the traffic to the standby router and it goes to ISP-2. To configure HSRP tracking, enter the foll command in interface config mode.

Router(config-if)#standby track .

You might need to revisit the HSRP configuration guide for this. Let me know if you need more info.

Thanks,

Naveen.

mnaveen@cisco.com