01-10-2013 11:33 AM
Hi
I need some help on
High Availibility configuration Between HQ and Branch Offices.
Senario:
I have HQ and 1 Brach Office
HQ Information
HQ has Primary LINK-IPVPN-ISP1 ( BGP) which is connecting between branch office
There are two more internet Link with ISP-2 terminated on same router.
Branch office- has Three Links
Link-1 with ISP-1 IPVPN to HQ uses BGP
Link-2 for Internet With ISP-2
Link-3 for Internet with ISP-3
All the Three Links are Terminated in One Router 3845 Br-Office
Incase If the Primary Link with ISP-1 IPVPN goes down, i want to establish VPN-ipsec tunnel between
Link-3-ISP-3 to HQ-ISP-2-Link Internet Connection same ISPwith especifying by source and destination address.
OR
Link-2-ISP-2 to HQ-ISP-2-Link Internet connection Other ISP ( Internet Connection Links )
I wants to Automate the process
How to divert the routing from IPVPN to Intenet IPSEC tunnel, when the link back to normal state all the traffic should go with Primary link IPVPN.
Please kindly Advise.
Thanks
01-10-2013 11:46 AM
Why don't you use GRE over IPSec or VTI tunnel and dynamic routing (wich will take care of redundancy) inside of a tunnel for that purpose. Just make vty interfaces for each link, setup ospf process for that interfaces and adjust ospf metric to be primary for IPVPN link.
01-10-2013 02:19 PM
Hello Mohammed,
In addition to Andrew's suggestions,
When you configure mulitple tunnels that should use different ISP links, you might run in to issues.. so beware !!
Because you are using a single router at both sides, make sure when you configure tunnels, they are tied to the correct ISP.. Otherwise your tunnel will use incorrect ISP links for tunnel negotiation and will behave in an unpredicted way and get loads of SPI error and stuff. It you experience this, you might have to use VRF based separation for tunnels so they wouldn't reply the tunnel negotiation requests from the other side using the wrong Internet exit..
Please rate this post if helpful..
Thanks
Shamal
01-10-2013 05:47 PM
Shamal Weerakoon wrote:
Hello Mohammed,
In addition to Andrew's suggestions,
When you configure mulitple tunnels that should use different ISP links, you might run in to issues.. so beware !!
Why would that an issue? this is "non-issue" if he does VPN using the loopback interface (assuming that the loopback interface has a public IP address and can be seen by the remote peers.
That's why people use loopback interface to terminate VPN when you have multiple ISP and that you can utilize both ISP link. He just needs to specify "crypto map local-address lo0"
01-10-2013 07:37 PM
Hi David,
No need to get too upset mate.. Everyone's trying to help here..
Here I'm talking about the GRE tunnel. The router will have only one default route in it's global routing table and know matter which ISP the request came through it's going to use the same ISP ( the default GW ISP ) so If you want to maintain two GRE tunnels, one from ISP1 and other fram ISP2, even though you think everything's working fine your second tunnel actually uses ISP1 as the next hop to reach the remote site.. and if there is an ISP1 failiure, out of no where, your 2nd tunnel goes down that's why it is important to tie your GRE tunnel with the proper ISP. Because of this reason he may need to think about some sort of separation either by means of VRF or may be BGP routes..
01-11-2013 12:34 PM
Thaks 2 All suggestion and Advises,,What i will do is i will simulate the senario on GNS, i will paste the exact configuration
With the Diagram, that will help me out more to implelment as its a production environment, i cant take the risk.
Thanks Best Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide