• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4017
  • Last Modified:

IPSEC VPN on Cisco routers or ASAs

In the attached diagram, things seem to be a complex in the first look, but let me explain.
We have 2 DSL links from our ISP, about 8mb, active and backup, connected across two 2811 routers.
These routers terminate on a pair of Alteon Application switches by Nortel. The nortel switches work in a mode that basicallt sandwiches two ASA 5520 firewalls. The motive behind this design was to use both ASAs in Active Active mode with load balancing automatically instead of spreading across the VLANs on both the firewalls. It also gives me ability to offload SSL for my DMZ app servers. The red lines signifies the 'Active' route the data takes, while the blacl ;ines signify the 'redundant' route.

The issue is, on the Alteons App switches, facing the routers, I cannot terminate IPSEC VPN connections and to bring them down to ASA, on public IPs is proving a bit tedious.

What are my options?
What's the drawback of terminating IPSEC VPNs on my 2811 routers?
They have 256 MB on board and comes with integrated onbaord VPN encryption acceleration. There is alos an add-on module AIM-VPN/EPII-PLUS, which is called as "Enhanced-performance DES, 3DES, AES, and compression VPN encryption AIM".

Do I need this if I terminate 6 of my IPSEC VPns on my routers? Can I live without this added AIM?
Also, as my total design is seemingly built with redundancy in mind and automatic failovers, what are my chances of making even my IPSEC VPN automatic failover between the two routers?
 



IPSEC-VPN.jpg
0
fahim
Asked:
fahim
  • 3
1 Solution
 
billwhartonCommented:
So if you look into theory numbers by Cisco, the 2811 can do 1500 tunnels and 55mbps throughput with onboard VPN (no AIM card needed)
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure09186a00801f0a72_ns710_Networking_Solutions_Brochure.html

However, in the real world, the numbers are a little different. I ran my 2811 router with about 35 VPN tunnels with each one passing about 1mbps of data and I didn't see a problem. After I threw in a few IP telephony components to the router, latency times increased just a bit.

Hence, if you are only using this router for basic routing and IPSEC, it should work just fine. I don't see the need for an AIM card for you.

As for redundancy, you should set up IPSEC vpn high availability. You'll basically set up your peers to establish VPN connections with each one of your routers and provide them two different public IP addresses since you have two ISP's

Use this example:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml

There are many other examples on this page:
http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html

Hope this helps...
0
 
billwhartonCommented:
Is there anything else you are looking for? Have you decided the route you are taking with this solution?

Kindly let me know

Thank you
0
 
fahimAuthor Commented:
Hi Bill..we realised that I have been provided single subnet range of public addresses of about 16 hosts on both the links. ISP guys say that they are advertosing both the ranges on the two links. There is a meeting scheduled tomorrow to get more insight of their side of the configuration. They are possibly doing BGP. In such scenario I am a bit confused about ways to configure iPSEC vpn high availability if both the links advertise the same IP subnet to the outside world.

Will let you know tomoroow.
Many thanks for the insights,
0
 
billwhartonCommented:
they'll advertise the same subnet but the external IP addresses of the 2811's will remain unique and distinct. Hence, you can still do ipsec HA
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now