VPN High Availibility Help Required

mohammed-abdullah · ‎01-10-2013

Hi

I need some help on

High Availibility configuration Between HQ and Branch Offices.

Senario:

I have HQ and 1 Brach Office

HQ Information

HQ has Primary LINK-IPVPN-ISP1 ( BGP) which is connecting between branch office

There are two more internet Link with ISP-2 terminated on same router.

Branch office- has Three Links

Link-1 with ISP-1 IPVPN to HQ uses BGP

Link-2 for Internet With ISP-2

Link-3 for Internet with ISP-3

All the Three Links are Terminated in One Router 3845 Br-Office

Incase If the Primary Link with ISP-1 IPVPN goes down, i want to establish VPN-ipsec tunnel between

Link-3-ISP-3 to HQ-ISP-2-Link Internet Connection same ISPwith especifying by source and destination address.

OR

Link-2-ISP-2 to HQ-ISP-2-Link Internet connection Other ISP ( Internet Connection Links )

I wants to Automate the process

How to divert the routing from IPVPN to Intenet IPSEC tunnel, when the link back to normal state all the traffic should go with Primary link IPVPN.

Please kindly Advise.

Thanks

Andrew Phirsov · ‎01-10-2013

Why don't you use GRE over IPSec or VTI tunnel and dynamic routing (wich will take care of redundancy) inside of a tunnel for that purpose. Just make vty interfaces for each link, setup ospf process for that interfaces and adjust ospf metric to be primary for IPVPN link.

shamax_1983 · ‎01-10-2013

Hello Mohammed,

In addition to Andrew's suggestions,

When you configure mulitple tunnels that should use different ISP links, you might run in to issues.. so beware !!

Because you are using a single router at both sides, make sure when you configure tunnels, they are tied to the correct ISP.. Otherwise your tunnel will use incorrect ISP links for tunnel negotiation and will behave in an unpredicted way and get loads of SPI error and stuff. It you experience this, you might have to use VRF based separation for tunnels so they wouldn't reply the tunnel negotiation requests from the other side using the wrong Internet exit..

Please rate this post if helpful..

Thanks

Shamal

david.tran · ‎01-10-2013

Shamal Weerakoon wrote:

Hello Mohammed,

In addition to Andrew's suggestions,

When you configure mulitple tunnels that should use different ISP links, you might run in to issues.. so beware !!

Why would that an issue? this is "non-issue" if he does VPN using the loopback interface (assuming that the loopback interface has a public IP address and can be seen by the remote peers.

That's why people use loopback interface to terminate VPN when you have multiple ISP and that you can utilize both ISP link. He just needs to specify "crypto map local-address lo0"

shamax_1983 · ‎01-10-2013

Hi David,

No need to get too upset mate.. Everyone's trying to help here..

Here I'm talking about the GRE tunnel. The router will have only one default route in it's global routing table and know matter which ISP the request came through it's going to use the same ISP ( the default GW ISP ) so If you want to maintain two GRE tunnels, one from ISP1 and other fram ISP2, even though you think everything's working fine your second tunnel actually uses ISP1 as the next hop to reach the remote site.. and if there is an ISP1 failiure, out of no where, your 2nd tunnel goes down that's why it is important to tie your GRE tunnel with the proper ISP. Because of this reason he may need to think about some sort of separation either by means of VRF or may be BGP routes..

shakeelccie · ‎01-11-2013

Thaks 2 All suggestion and Advises,,What i will do is i will simulate the senario on GNS, i will paste the exact configuration

With the Diagram, that will help me out more to implelment as its a production environment, i cant take the risk.

Thanks Best Regards