[c-nsp] IPSec backup

szilard csordas redmond at freemail.hu
Tue Aug 15 05:09:58 EDT 2006 

Hello Shakeel,

Thank you for the idea, soon I will have more routers in our lab so I can 
test it.
by the way, the HQ has 2upstream providers, but the IPSec tunnel is 
not terminated on the edge devices so it shouldn't be a problem.

rgs,
Szilard


Shakeel Ahmad <shakeelahmad at gmail.com> írta:

> GRE solution will work fine without any issues except 
few GRE keepallives on
> both links all the time AND GRE have some drawback 
(specific to few
> applications) ... you might have to adjust the MTU on 
both sides for making
> applications to work.....
> 
> if HQ have a single upstream ISP, i would go for DMVPN 
(MPGRE+IPSEC) which
> is (in my opinion) more efficient than a normal GRE 
tunnel.
> 
> BTW  i have also read somewhere about On-Demand DMVPN - 
not used/not sure
> 
> cheers,
> Shakeel
> 
> 
> On 8/11/06, szilard csordas <redmond at freemail.hu> wrote:
> >
> > hello,
> >
> > A small site has 2routers with 2internet accesses from 
different
> > providers. They are connected to the headquater via 
IPSec. The routers
> > play an HSRP to the LAN and the primary router builds 
up a tunnel to
> > the HQ. Object tracking is configured on the primary 
(pinging one of
> > the HQ's IP).
> > If the ping fails it will decrease the HSRP priority, 
the secondary
> > takes over and builds up a new tunnel (DPD is turned 
on).
> > It works but if some intermediate provider blocks the 
ICMP packet it
> > will trigger the secondary line, so it's a little 
unreliable.
> >
> > I am also thinking about GRE+IPSec+OSPF so i can do 
load-balancing
> > also(this is not so important), but I am hesitating 
because I haven't
> > configured this together before. (also the topology in 
HQ is not
> > simple: 6500+vpsm+fwsm+static nat)
> >
> >       HQ
> >      |    |
> >   gre    gre (ospf,IPSec)
> >   |           |
> > R1          R2
> >      hsrp
> >      (lan)
> >
> >
> > Does anyone have a better idea to solve the problem?
> >
> > any advice is appreciated,
> > Szilard Csordas
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 

_______________________________________________________________________
FOTO.hu - Online fotórendelés kidolgozás. Folyamatos Akciók! Kiváló minőség! Ingyen házhoz szállítás! 
Részletekért kattintson ide: http://www.foto.hu/index.php?zoneid=origo2

More information about the cisco-nsp mailing list