Re: VPN Resilence solution

s.vidanovic · ‎01-11-2002

I have the customer with the following requirements: Central site and 10 remote sites. He wants to do IPSec VPN from remote sites to the central site over the Internet. That's fine. Should Internet connection become unavailable, customer wants VPN devices to switch to ISDN dial from remotes to central site without user intervention. What I have in mind is IKE-Keepalive and Dead Peer Detection, and possibly GRE. The issue is that VPN device needs to recognize dead IPSec tunnel and signal to another device to do ISDN dial (only reasonable solution would be to use IOS Routers in HSRP for that - one is VPN device another one ISDN router).

Does anyone has some idea about this?

Thanks in advance.

Sasa Vidanovic

ali-franks · ‎01-11-2002

Hi Sasa,

Try running EIGRP with authentication over the VPNs, and use floating static routes with an Admin distance higher than that of Internal EIGRP to bring up the ISDN. I recently had it running between 1720's and the ISDN came up within about 10 secs of the VPN interface going down.

I haven't actually used Dead Peers Detection so not sure on that score.

Can send the configs if you wish, for a base to start from?

Ali

s.vidanovic · ‎01-16-2002

Hi Ali,

Thanks very much for your answer. I would appreciate if you send me some config examples.

Sasa

ali-franks · ‎01-18-2002

Hi Sasa,

Sorry I didn't get back to you earlier - been busy here!!

No Problem. mail me and I'll send them to you

ali.franks@jt-bsg.co.uk

michaand · ‎01-24-2002

I would go with the GRE tunnels (vs. IKE keepalive) and allow a routing protocol to determine the IPSEC tunnel is down and use DDR (if you can) to connect the ISDN. Then once the Internet connection becomes available, traffic should fail back over. You don't have that ability with IKE keepalives, and the path will stay on the IDSN line until a new SA is required or you do a manual failover. Using the GRE tunnels with a routing protocol should automate everything you are looking for. This assumes you are using something like a 2600 series router that has both WAN interfaces.

ali-franks · ‎01-25-2002

Hi Michael,

I recommended EIGRP with authentication as you can see from the posts. Obviously I would be more inclined to listen to advice from Cisco Systems so....

What are the pitfalls or advantages of one solution over the other? Curious

It sounds to me that it would achive the same end result no?

Cheers

Ali

s.vidanovic · ‎01-25-2002

Hi,

This can be achieved without GRE. If your both routers have serial and ISDN interface, then, should serial goes down, routing protocols keepalives (for examples OSPF) are triggering ISDN to dial. That kind of situation I already have with another customer, and it works perfectly.

What I need now is that serial interface (for VPN connection) is on one router, and ISDN interface is on another router...

Sasa Vidanovic

michaand · ‎01-25-2002

How do you run a routing protocol across an IPSEC tunnel? IPSEC tunnels only forward unicast traffic. Therefore you need the GRE tunnels to run a routing protocol across an IPSEC tunnel. If you run a routing protocol between the VPN device and the ISDN device the metrics should take care of which link get used. Albeit, you may need to front-end this solution with another router, or like you said, run HSRP.