Solved

VPN failover

Posted on 2004-09-21
5
383 Views
Last Modified: 2008-03-03
Here is my set up:
Home office has a T1 and a Cablemodem (When the T1 goes down we route traffic to the cablemodem router).  Each has a cisco 831 router 192.168.2.1 and 192.168.2.2 respectively on our lan.

Remote offices (with cisco 806 or 831's) VPN into the T1 router.

My questions is: With this set up is it possible to have the remote offices establish a vpn with the cablemodem router in the event that the T1 fails?
If not, what kind of setup/hardware would I need to get the desired result here.
0
Comment
Question by:frieked
  • 2
5 Comments
 
LVL 11

Expert Comment

by:PennGwyn
Comment Utility
The fact that the traffic is VPN is a side issue.  This is really the same question as fail-over from one ISP to another, which seems to get asked here about once a week.  And there really isn't a cheap answer for incoming traffic.

Does your T1 fail often?  Is there another provider in your area?

0
 
LVL 3

Author Comment

by:frieked
Comment Utility
Any faults in the T1 are a problem for us, we've already switched from another service provider because they were down too much.

Losses from non-VPN traffic are negligible to us but when our satelite offices lose the connection to our corporate office it causes major problems for us.

Ideally:
We want all of our branch offices (each with a cisco 831) to have 2 ipsec tunnels to the corporate office, one to each of the 2 routers there (831 also).
One of the tunnels would have higher priority and be used as default route to the corporate office and it would only use the 2nd tunnel if the first connection went down for whatever reason.

Please let me know if this could be done with our current setup or if it’s possible with another combination of hardware.  Don't consider money as an issue here in your answer.
Thanks
0
 
LVL 3

Author Comment

by:frieked
Comment Utility
I found the answer to my question:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_7/gtdpmo.htm
Configuring DPD and Cisco IOS Keepalives with Multiple Peers
in the Crypto Map
To configure DPD and IOS keepalives to be used in conjunction with the crypto map to allow for stateless failover, perform the following steps. This configuration will cause a router to cycle through the peer list when it detects that the first peer is dead.

SUMMARY STEPS
1. enable

2. configure terminal

3. crypto map map-name seq-num ipsec-isakmp

4. set peer {host-name [dynamic] | ip-address}

5. set transform-set transform-set-name

6. match address [access-list-id | name]

DETAILED STEPS
   Command or Action  Purpose  
Step 1
 enable

Example:
Router> enable
 Enables privileged EXEC mode.

•Enter your password if prompted.
 
Step 2
 configure terminal

Example:
Router# configure terminal
 Enters global configuration mode.
 
Step 3
 crypto map map-name seq-num ipsec-isakmp

Example:
Router (config)# crypto map green 1 ipsec-isakmp
 Enters crypto map configuration mode and creates or modifies a crypto map entry.

•The ipsec-isakmp keyword indicates that IKE will be used to establish the IPSec SAs for protecting the traffic specified by this crypto map entry.
 
Step 4
 set peer {host-name [dynamic] | ip-address}

Example:
Router (config-crypto-map)# set peer 12.12.12.12
 Specifies an IPSec peer in a crypto map entry.

•You can specify multiple peers by repeating this command.
 
Step 5
 set transform-set transform-set-name

Example:
Router (config-crypto-map)# set transform-set txfm
 Specifies which transform sets can be used with the crypto map entry.

•You can specify more than one transform set name by repeating this command.
 
Step 6
 match address [access-list-id | name]

Example:
Router (config-crypto-map)# match address 101
 Specifies an extended access list for a crypto map entry.
 
0
 

Accepted Solution

by:
modulo earned 0 total points
Comment Utility
PAQed with points refunded (125)

modulo
Community Support Moderator
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SSL RA VPN 7 74
Simple Guest VLAN Help 17 34
Server Room Hardware 5 46
Linux as a middle box 7 18
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now