IPSEC VPN on Cisco routers  or ASAs

Posted on 2008-11-07
Last Modified: 2012-05-05
In the attached diagram, things seem to be a complex in the first look, but let me explain.
We have 2 DSL links from our ISP, about 8mb, active and backup, connected across two 2811 routers.
These routers terminate on a pair of Alteon Application switches by Nortel. The nortel switches work in a mode that basicallt sandwiches two ASA 5520 firewalls. The motive behind this design was to use both ASAs in Active Active mode with load balancing automatically instead of spreading across the VLANs on both the firewalls. It also gives me ability to offload SSL for my DMZ app servers. The red lines signifies the 'Active' route the data takes, while the blacl ;ines signify the 'redundant' route.

The issue is, on the Alteons App switches, facing the routers, I cannot terminate IPSEC VPN connections and to bring them down to ASA, on public IPs is proving a bit tedious.

What are my options?
What's the drawback of terminating IPSEC VPNs on my 2811 routers?
They have 256 MB on board and comes with integrated onbaord VPN encryption acceleration. There is alos an add-on module AIM-VPN/EPII-PLUS, which is called as "Enhanced-performance DES, 3DES, AES, and compression VPN encryption AIM".

Do I need this if I terminate 6 of my IPSEC VPns on my routers? Can I live without this added AIM?
Also, as my total design is seemingly built with redundancy in mind and automatic failovers, what are my chances of making even my IPSEC VPN automatic failover between the two routers?

Question by:fahim
    LVL 11

    Expert Comment

    So if you look into theory numbers by Cisco, the 2811 can do 1500 tunnels and 55mbps throughput with onboard VPN (no AIM card needed)

    However, in the real world, the numbers are a little different. I ran my 2811 router with about 35 VPN tunnels with each one passing about 1mbps of data and I didn't see a problem. After I threw in a few IP telephony components to the router, latency times increased just a bit.

    Hence, if you are only using this router for basic routing and IPSEC, it should work just fine. I don't see the need for an AIM card for you.

    As for redundancy, you should set up IPSEC vpn high availability. You'll basically set up your peers to establish VPN connections with each one of your routers and provide them two different public IP addresses since you have two ISP's

    Use this example:

    There are many other examples on this page:

    Hope this helps...
    LVL 11

    Expert Comment

    Is there anything else you are looking for? Have you decided the route you are taking with this solution?

    Kindly let me know

    Thank you

    Author Comment

    Hi Bill..we realised that I have been provided single subnet range of public addresses of about 16 hosts on both the links. ISP guys say that they are advertosing both the ranges on the two links. There is a meeting scheduled tomorrow to get more insight of their side of the configuration. They are possibly doing BGP. In such scenario I am a bit confused about ways to configure iPSEC vpn high availability if both the links advertise the same IP subnet to the outside world.

    Will let you know tomoroow.
    Many thanks for the insights,
    LVL 11

    Accepted Solution

    they'll advertise the same subnet but the external IP addresses of the 2811's will remain unique and distinct. Hence, you can still do ipsec HA

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    Suggested Solutions

    Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
    Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now