Swift
asked on
IPSEC VPN on Cisco routers or ASAs
In the attached diagram, things seem to be a complex in the first look, but let me explain.
We have 2 DSL links from our ISP, about 8mb, active and backup, connected across two 2811 routers.
These routers terminate on a pair of Alteon Application switches by Nortel. The nortel switches work in a mode that basicallt sandwiches two ASA 5520 firewalls. The motive behind this design was to use both ASAs in Active Active mode with load balancing automatically instead of spreading across the VLANs on both the firewalls. It also gives me ability to offload SSL for my DMZ app servers. The red lines signifies the 'Active' route the data takes, while the blacl ;ines signify the 'redundant' route.
The issue is, on the Alteons App switches, facing the routers, I cannot terminate IPSEC VPN connections and to bring them down to ASA, on public IPs is proving a bit tedious.
What are my options?
What's the drawback of terminating IPSEC VPNs on my 2811 routers?
They have 256 MB on board and comes with integrated onbaord VPN encryption acceleration. There is alos an add-on module AIM-VPN/EPII-PLUS, which is called as "Enhanced-performance DES, 3DES, AES, and compression VPN encryption AIM".
Do I need this if I terminate 6 of my IPSEC VPns on my routers? Can I live without this added AIM?
Also, as my total design is seemingly built with redundancy in mind and automatic failovers, what are my chances of making even my IPSEC VPN automatic failover between the two routers?
IPSEC-VPN.jpg
We have 2 DSL links from our ISP, about 8mb, active and backup, connected across two 2811 routers.
These routers terminate on a pair of Alteon Application switches by Nortel. The nortel switches work in a mode that basicallt sandwiches two ASA 5520 firewalls. The motive behind this design was to use both ASAs in Active Active mode with load balancing automatically instead of spreading across the VLANs on both the firewalls. It also gives me ability to offload SSL for my DMZ app servers. The red lines signifies the 'Active' route the data takes, while the blacl ;ines signify the 'redundant' route.
The issue is, on the Alteons App switches, facing the routers, I cannot terminate IPSEC VPN connections and to bring them down to ASA, on public IPs is proving a bit tedious.
What are my options?
What's the drawback of terminating IPSEC VPNs on my 2811 routers?
They have 256 MB on board and comes with integrated onbaord VPN encryption acceleration. There is alos an add-on module AIM-VPN/EPII-PLUS, which is called as "Enhanced-performance DES, 3DES, AES, and compression VPN encryption AIM".
Do I need this if I terminate 6 of my IPSEC VPns on my routers? Can I live without this added AIM?
Also, as my total design is seemingly built with redundancy in mind and automatic failovers, what are my chances of making even my IPSEC VPN automatic failover between the two routers?
IPSEC-VPN.jpg
Is there anything else you are looking for? Have you decided the route you are taking with this solution?
Kindly let me know
Thank you
Kindly let me know
Thank you
ASKER
Hi Bill..we realised that I have been provided single subnet range of public addresses of about 16 hosts on both the links. ISP guys say that they are advertosing both the ranges on the two links. There is a meeting scheduled tomorrow to get more insight of their side of the configuration. They are possibly doing BGP. In such scenario I am a bit confused about ways to configure iPSEC vpn high availability if both the links advertise the same IP subnet to the outside world.
Will let you know tomoroow.
Many thanks for the insights,
Will let you know tomoroow.
Many thanks for the insights,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure09186a00801f0a72_ns710_Networking_Solutions_Brochure.html
However, in the real world, the numbers are a little different. I ran my 2811 router with about 35 VPN tunnels with each one passing about 1mbps of data and I didn't see a problem. After I threw in a few IP telephony components to the router, latency times increased just a bit.
Hence, if you are only using this router for basic routing and IPSEC, it should work just fine. I don't see the need for an AIM card for you.
As for redundancy, you should set up IPSEC vpn high availability. You'll basically set up your peers to establish VPN connections with each one of your routers and provide them two different public IP addresses since you have two ISP's
Use this example:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml
There are many other examples on this page:
http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html
Hope this helps...