[c-nsp] IPSec backup

szilard csordas redmond at freemail.hu
Fri Aug 11 04:27:02 EDT 2006


hello,

A small site has 2routers with 2internet accesses from different
providers. They are connected to the headquater via IPSec. The routers
play an HSRP to the LAN and the primary router builds up a tunnel to
the HQ. Object tracking is configured on the primary (pinging one of
the HQ's IP).
If the ping fails it will decrease the HSRP priority, the secondary
takes over and builds up a new tunnel (DPD is turned on).
It works but if some intermediate provider blocks the ICMP packet it
will trigger the secondary line, so it's a little unreliable.

I am also thinking about GRE+IPSec+OSPF so i can do load-balancing
also(this is not so important), but I am hesitating because I haven't
configured this together before. (also the topology in HQ is not
simple: 6500+vpsm+fwsm+static nat)

       HQ
      |    |
   gre    gre (ospf,IPSec)
   |           |
R1          R2
      hsrp
      (lan)


Does anyone have a better idea to solve the problem?

any advice is appreciated,
Szilard Csordas


More information about the cisco-nsp mailing list