Link to home
Create AccountLog in
Avatar of Password727
Password727

asked on

Redundant VPN Tunnels between multiple sites configuration.

I am the administrator for a site wich has 3 sites globally. Cisco not my speciallity. 2 x 871 Fibre routers in China, 2 x 877 DSL routers in AUZ and 2 (1 x 837 DSL and 1 X 1841 Fibre)  in Auckland.
Auckland is Hub and all services accessed here. Currently VPN's configured to AKL from China and Auz. I have HSRP configured on routers, but pointless as NTU connection to router will be fine, but ISP connection down. Could someone help me with how I can configure redundant VPN's between AKL and the remote offices. I will need help as I have not attemted this before but can use trial and error.
ASKER CERTIFIED SOLUTION
Avatar of decoleur
decoleur

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of Password727
Password727

ASKER

Hi decoleur,

thanks for the reply. Had a read on DMVPN, thanks. I'll try and elaborate more. Routers at sites as above. China and Auz don't need to access anything at each other, all traffic goes to AKL. VPN currently between AKL1(HO) and CHINA1, AKL1(HO) and AUZ1.I also have AKL2(HO) and China2 and AUZ2. HSRP is configured on internal interfaces as x.x.x.254 for all sites.


AKL1 + AKL2
crypto map outsidemap 10 ipsec-isakmp
 set peer x.x.x.1            {China1}
 set peer x.x.x.2             {China2}
 set transform-set ESP-3DES-SHA
 match address vpn-China

crypto map outs 20 ipsec-isakmp
 set peer x.x.x.1            {Sydney1}
 set peer x.x.x.2            {Sydney2}
 set transform-set ESP-3DES-SHA
 match address vpn-Sydney

China1
crypto map outsidemap 10 ipsec-isakmp
 description Tunnel to x.x.x.x      {AKL1}
 set peer x.x.x.x                   {AKL1}
 set transform-set ESP-3DES-SHA
 match address 100

China2
crypto map outsidemap 10 ipsec-isakmp
 description Tunnel to x.x.x.x      {AKL1}
 set peer x.x.x.x                   {AKL1}
 set transform-set ESP-3DES-SHA
 match address 100

Sydney1
crypto map outsidemap 10 ipsec-isakmp
 description Tunnel to x.x.x.x      {AKL1}
 set peer x.x.x.x                   {AKL1}
 set transform-set ESP-3DES-SHA
 match address 100

Sydney2
crypto map outsidemap 10 ipsec-isakmp
 description Tunnel to x.x.x.x      {AKL1}
 set peer x.x.x.x                   {AKL1}
 set transform-set ESP-3DES-SHA
 match address 100


Very basic VPN configuration. VPN tunnels work ok and if
China 1 goes down China 2 takes over via HSRP. Same for Sydney.
If AKL goes down, issue!!!

Problem 1:
If ISP in China or Sydney goes down, WAN interface still up in
China or Sydney as fibre has NTU in customer site, thus no automatic failover.
So HSRP really not helpful. Maybe not being used to its best ability (Mine!)
As from config and above, if AKL1 goes down no help from AKL2 as yet implemented.
Need to have VPN failover between AKL and China, and AKL and Sydney.
I'm not using a routing protocol???

Also if AKL goes down, do I just add AKL2 IP as per below

China1
crypto map outsidemap 10 ipsec-isakmp
 description Tunnel to x.x.x.x  and x.x.x.x    {AKL1}+{AKL2}
 set peer x.x.x.1                   {AKL1}
 set peer x.x.x.2                   {AKL2}
 set transform-set ESP-3DES-SHA
 match address 100

Hope this makes sense. Happy to provide greater configurations if need be.



Thanks for the help
ok, i think it makes more sense to me now. I would still be inclined to recomend the dmvpn to cut down on the vpn configurations, but i think, as i understand it you have two issues.

if the vpn endpoint at a remote site goes down you do not failover to the other network device, hsrp issue.
how do you configure the vpn termination at the main site to be fault tolerant, vpn design issue.

for the hsrp issue i would look at using the track command with your hsrp configuration. in china you would have the vpn endpoint track its outside interface and if it went down then it would deprecate its priority and failover to the other router. At this time a second VPN tunnel would be built from R2 to the main site.

for the VPN issue, if you do not use a dynamic vpn technology i think you will have to have to vpns terminate on each remote device with weighted routing, so when one path went dow the other would take over.

let me know if you need more information on this, i think there might be an example somewhere ;)

-t
Hi,

sorry for late reply. I like your idea, my problem is I haven't done either of those, so technically could pose issue. I'm happy to assign points if I can configure as described above with clear examples if possible.

Thanks