Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
448
Views
0
Helpful
4
Replies

Redundant ipsec/GRE

nikolay
Level 1
Level 1

‎06-18-2006 05:20 PM - edited ‎02-21-2020 02:28 PM

Hi all

I have a 10x857 connecting to 2821 with IPSEC.

I also have an 1801 for general internet connection and would like to provide redundant VPN to it from the 857?s.

The best solution I believe is DMVPN but the 857 doesn't support it.

Any ideas for alternative configuration to provide VPN redundancy for the 857?s?

Regards

Labels:
0 Helpful
4 Replies 4

attrgautam
Level 5
Level 5

‎06-19-2006 12:17 AM

You can look at DPD + RRI or DPD + HSRP between the 2800 and 1800 at the hub for redundancy.This will give u VPN redundancy.

0 Helpful

markanthony
Level 1
Level 1

‎07-21-2006 08:23 AM

I haven't used an 1801 or 857's, but if they support GRE/IPSec tunnels you can do that. On the brach routers, terminate a GRE/IPSec tunnel to both routers at head office. That allows you to run a routing protocol between them.

I run OSPF across all my VPN tunnels. Primary VPN routers goes down, then the other link converges via OSPF pretty quickly.

I have some config if it would help.

0 Helpful

Wilson Samuel
Level 7
Level 7

‎08-01-2006 12:09 AM

Hi Nikolay,

I agree with Mark Anthony, as the best way to achieve redundancy at the Head End is to change from IPSec Direct Encapuslation (as I assume you are using) to Peer-to-Peer GRE in IPSec Tunnels which makes the Routing Protocol deployment easy over VPNs.

Then make sure that your branch offices have 2 simultaneous connections to the Head End i.e. 1801 and 2821 (both should have VPN Accelerator cards).

Then run the EIGRP (You could use OSPF as well) and thats it!!!

You have achieved automatic failover mechanism for the IPSec VPNs.

Regards,

Wilso Samuel

0 Helpful

nefkensp
Level 5
Level 5
In response to Wilson Samuel

‎08-01-2006 02:40 AM

If you don't want to use a dynamic routing protocol to switch between the VPN Connections, it is also possible by using floating static routes; since you have two GRE tunnels (one to the 2800 and one to the 1800) up, it is possible to create two static routes (one with cost 100 and one with cost 150).

I had to use this solution once where I had to enable fallback via ISDN and OSPF kept the ISDN line up because of keepalive packets (and all branch offices learns about the complete network topology which is in some occasions not desirable).

Regards

Pieter-Jan Nefkens

0 Helpful
Customers Also Viewed These Support Documents