Re: vpn redundancy and Load Balancing

arumugasamy · ‎04-03-2005

Dear All Professionals,

I want to configure vpn connection bet 2 sites.In the central site there are 2 routers cisco router 1841 and 2600 located , remote site has single router 2600.

How can i configure the vpn redundancy bet this sites along with load balancing .

in this setup remote site has single router and the hub site (central site) there are 2 routers for the vpn connectivity to be configured.

Already the project is about to awarded to me but due to lack of knowledge I am delaying to take over this project.

Pls help me to solve this issue

Thanks in Advance

Swamy

Richard Burts · ‎04-03-2005

I have implemented something at a customer site that sounds similar to what you are asking. We configure IPSec VPN with GRE tunnels. The GRE tunnels allow us to send multicast packets used by routing protocols. On the 2600 at the site which has a single router configure two tunnels. One tunnel will peer with the 1841 and the other tunnel will peer with the other 2600. Run a routing protocol over the tunnels. Make sure that the bandwidth on both tunnels is configured the same so that the routing protocol will see two equal paths.

Configuring in this way will give you redundancy and load sharing. Some traffic will go over the tunnel to the 1841 and some traffic will go over the tunnel to the 2600. If there is a problem on either router the routing protocol will recognize it and after convergence all traffic will use the tunnel that is still functioning.

HTH

Rick

HTH

Rick

arumugasamy · ‎04-06-2005

Dear Rick,

Thanks for information.

is it possible using ipsec?.

Customer not willing to go for the routing protocol.

Any other solu available.

thanks in advance

swamy

Richard Burts · ‎04-06-2005

swamy

I think it can be done. You can certainly configure two IPSec tunnels from the remote to the central site two routers. If you configure IPSec without GRE then no routing protocol can be used. This means that you would need two static routes (probably default routes) on the remote routers pointing to the two routers at the central site.

I believe that Cisco has developed a High Availability setup for IPSec so that a remote site can have two peers at a central site and establish a primary and backup relationship. I have not used this and do not have much information about it.

I believe that one of the challenges of doing IPSec tunnels without routing protocols is to detect when one of the peers is not working. Part of the issue is working out how to withdraw the route to the remote peer if the remote peer is not working. (Otherwise you create a black hole because you have a static route pointing to a destination that is not available.) Cisco has implemented a feature called Object Tracking which may be helpful. I have seen some configurations that use Object Tracking in conjunction with static routes so that if some remote object (in your case the IP address of the remote peer) becomes unavailable, then the static route is withdrawn. I believe that this is what you will need.

HTH

Rick

HTH

Rick

ehirsel · ‎04-06-2005

Instead of using two ipsec tunnels, just define one that has two peers - both routers at the main site. You could then configure and use isakmp keepalive on all central site and remote routers. I believe that in thus fashion, if one peer detects the drop off of another peer due to the lack of isakmp keepalives then the traffic will flow to the next peer after the new sa's are established.

arumugasamy · ‎04-16-2005

Mr.Ehirsel,

Thanks for your info. I am plaining to do the same in soort period.

swamy