syerkes
asked on
Cisco Router-to-Router VPN Backup for Point-to-Point Links
Site 1:
3640: IOS 12.3 IP / FW / IDS Plus IPSEC 3DES
E0/0: 10.10.1.5 / 24
E1/0: A.B.C.D / 24
S0/1: 10.10.6.13 /29
Site 2:
2611: IOS 12.3 IP / FW / IDS Plus IPSEC 3DES
FA0/0: 10.10.6.14 /24
FA0/1: E.F.G.H / 24
S0/0: 10.10.6.14 /29
Sites are currently connected via Serial Point-to-Point. The Goal here is dynamically use the E1 ports to create an IPSec Tunnel / VPN when / If the Point-to-Point fails. The Letters on both Site represent the Current IP address provided by the ISP. Both Sites use OSPF now for Routing however I would move to a static or floating route if it makes it easier and works.
I have reviewed both these sites and am still bit confused.
http://tcpmag.com/qanda/article.asp?EditorialsID=249
http://www.cisco.com/warp/public/707/static.html
I'm really interested in what both running configurations would look like.
Any Willing Help?
Cheers, Shawn
3640: IOS 12.3 IP / FW / IDS Plus IPSEC 3DES
E0/0: 10.10.1.5 / 24
E1/0: A.B.C.D / 24
S0/1: 10.10.6.13 /29
Site 2:
2611: IOS 12.3 IP / FW / IDS Plus IPSEC 3DES
FA0/0: 10.10.6.14 /24
FA0/1: E.F.G.H / 24
S0/0: 10.10.6.14 /29
Sites are currently connected via Serial Point-to-Point. The Goal here is dynamically use the E1 ports to create an IPSec Tunnel / VPN when / If the Point-to-Point fails. The Letters on both Site represent the Current IP address provided by the ISP. Both Sites use OSPF now for Routing however I would move to a static or floating route if it makes it easier and works.
I have reviewed both these sites and am still bit confused.
http://tcpmag.com/qanda/article.asp?EditorialsID=249
http://www.cisco.com/warp/public/707/static.html
I'm really interested in what both running configurations would look like.
Any Willing Help?
Cheers, Shawn
ASKER
You are correct in stating the Goals. Primary link is p-to-p, backup is VPN. Timeout period of a hour is fair, I assume it is to prevent link flap or routing problems.
I would like to see an actual sample config for both sides. Once I have that I believe it will be simple for me to reverse engineer it and understand . I surprised one doesn't exist on Cisco.com.
Thanks for you response fullerms. I will be watching for the Examples. -Shawn
I would like to see an actual sample config for both sides. Once I have that I believe it will be simple for me to reverse engineer it and understand . I surprised one doesn't exist on Cisco.com.
Thanks for you response fullerms. I will be watching for the Examples. -Shawn
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can we close this question?
You need to configure the IPsec VPN part, for which a lot of posts are available on this forum. The trick is in the routing. Your primary link is the serial, and therefore that should have a route with a lower metric. The VPN link can have a floating static, with a higher metric. When the serial link fails, the routers will automatically route the data towards the E1 links.
Since the VPN policies are already defined and applied, the tunnel is built on the fly and data sent through the VPN. Once the serial link comes up again, data will againg take the serial link being the lower cost route.
The VPN tunnel will be torn down after the timeout period. Suggest you set the timeout to a reasonable value like one hour.
If you need help on actual configs, will be glad to help.