10-26-2009 02:29 AM
There is two site with 2801/CallManager Express routers. I need to have LAN-2-LAN connection over Eth WAN interfaces.
It is possible to configure two VPN tunnel with redundancy? How to monitor VPN-tunnel state and switch to second tunnel?
10-29-2009 11:48 AM
There are a number of ways to go about it, but I would run with two encrypted tunnels and a routing protocol such as EIGRP to balance or provide failover. Something like this would do the trick.
! Router 1
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key ***** address 3.3.3.2 no-xauth
crypto isakmp key ***** address 4.4.4.2 no-xauth
!
crypto ipsec transform-set TS-AES256SHA1ESP esp-aes 256 esp-sha-hmac
!
crypto ipsec profile VPN
set transform-set TS-AES256SHA1ESP
!
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
!
interface FastEthernet0/1
ip address 2.2.2.2 255.255.255.0
!
interface Loopback0
ip address 10.0.0.1 255.255.255.0
!
interface Tunnel0
ip unnumbered Loopback0
tunnel source FastEthernet0/0
tunnel destination 3.3.3.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN
!
interface Tunnel1
ip unnumbered Loopback0
tunnel source FastEthernet0/1
tunnel destination 4.4.4.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN
!
router eigrp 10
network 10.0.1.0 0.0.0.255
!
ip route 1.1.1.0 255.255.255.0 3.3.3.1
ip route 2.2.2.0 255.255.255.0 4.4.4.1
! Router 2
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key ***** address 1.1.1.2 no-xauth
crypto isakmp key ***** address 2.2.2.2 no-xauth
!
crypto ipsec transform-set TS-AES256SHA1ESP esp-aes 256 esp-sha-hmac
!
crypto ipsec profile VPN
set transform-set TS-AES256SHA1ESP
!
interface FastEthernet0/0
ip address 3.3.3.2 255.255.255.0
!
interface FastEthernet0/1
ip address 4.4.4.2 255.255.255.0
!
interface Loopback0
ip address 10.0.1.1 255.255.255.0
!
interface Tunnel0
ip unnumbered Loopback0
tunnel source FastEthernet0/0
tunnel destination 1.1.1.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN
!
interface Tunnel1
ip unnumbered Loopback0
tunnel source FastEthernet0/1
tunnel destination 2.2.2.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN
!
router eigrp 10
network 10.0.1.0 0.0.0.255
!
ip route 1.1.1.0 255.255.255.0 3.3.3.1
ip route 2.2.2.0 255.255.255.0 4.4.4.1
You'll want to make substitutions as follows:
***** - Your tunnel keys
Loopback0 - LAN Interface for each router
10.0.0.0 - LAN Subnet for Router1
10.0.1.0 - LAN Subnet for Router2
1.1.1.0 - WAN Subnet for Router1 FastEthernet0/0
1.1.1.1 - Next-hop Router for Router1 FastEthernet0/0
1.1.1.2 - Interface of Router1 FastEthernet0/0
1.1.1.0 - WAN Subnet for Router1 FastEthernet0/1
1.1.1.1 - Next-hop Router for Router1 FastEthernet0/1
1.1.1.2 - Interface of Router1 FastEthernet0/1
3.3.3.0 - WAN Subnet for Router2 FastEthernet0/0
3.3.3.1 - Next-hop Router for Router2 FastEthernet0/0
3.3.3.2 - Interface of Router2 FastEthernet0/0
4.4.4.0 - WAN Subnet for Router2 FastEthernet0/1
4.4.4.1 - Next-hop Router for Router2 FastEthernet0/1
4.4.4.2 - Interface of Router2 FastEthernet0/1
You'll also want to adjust subnet masks and routing wildcards appropriately for your actual subnet masks.
This will create two VPN tunnels, each using a separate Internet connection on the FastEthernet ports. The EIGRP routing protocol will balance between them, using a single tunnel only when one should fail.
You can track which are up by monitoring the tunnel interface status.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide