[c-nsp] IPSec backup

Shakeel Ahmad shakeelahmad at gmail.com
Sun Aug 13 14:15:39 EDT 2006


GRE solution will work fine without any issues except few GRE keepallives on
both links all the time AND GRE have some drawback (specific to few
applications) ... you might have to adjust the MTU on both sides for making
applications to work.....

if HQ have a single upstream ISP, i would go for DMVPN (MPGRE+IPSEC) which
is (in my opinion) more efficient than a normal GRE tunnel.

BTW  i have also read somewhere about On-Demand DMVPN - not used/not sure

cheers,
Shakeel


On 8/11/06, szilard csordas <redmond at freemail.hu> wrote:
>
> hello,
>
> A small site has 2routers with 2internet accesses from different
> providers. They are connected to the headquater via IPSec. The routers
> play an HSRP to the LAN and the primary router builds up a tunnel to
> the HQ. Object tracking is configured on the primary (pinging one of
> the HQ's IP).
> If the ping fails it will decrease the HSRP priority, the secondary
> takes over and builds up a new tunnel (DPD is turned on).
> It works but if some intermediate provider blocks the ICMP packet it
> will trigger the secondary line, so it's a little unreliable.
>
> I am also thinking about GRE+IPSec+OSPF so i can do load-balancing
> also(this is not so important), but I am hesitating because I haven't
> configured this together before. (also the topology in HQ is not
> simple: 6500+vpsm+fwsm+static nat)
>
>       HQ
>      |    |
>   gre    gre (ospf,IPSec)
>   |           |
> R1          R2
>      hsrp
>      (lan)
>
>
> Does anyone have a better idea to solve the problem?
>
> any advice is appreciated,
> Szilard Csordas
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list