Cisco IPSec Tunnel

I'm interested in setting up an IPSec tunnel between a Cisco 861 router, and an ASA.

The reason for this, is that the site to site link for my LAN traffic is very slow... I want to try and balance some of this LAN traffic over the tunnel, and hopefully improve quality of service.

First and foremost, is it even possible for the router to load balance between the two gateways?  Is it possible for me to set the route with a very similar metric, so that connections get fired through each pipe more or less evenly?

Secondly, I have a config that I'm pretty sure I can use (googled it and found the cisco documentation).  Once I know whether it is possible or not, I would be potentially inclined to get some assistance, should the config not work.


There are currently two connections at the off-site location.  One ADSL connection (currently just running as a default route for anything not directed to the subnet), and one site-to-site connection for anything directed to the subnet.
Who is Participating?
koudryConnect With a Mentor Commented:

I am not sure I understand your question very well but I can see two things:

(1) VPN, branch (Cisco 861) to VPN concentrator / server (Cisc ASA). Technically, this be no issue because the server is the end point, i.e. terminates the VPN traffic. I have not terminated on the server before but I have done main to branch where both sites are Customer Premises Equipments (CPEs). In my case, I used the GRE tunnel and it worked.

(2) Load balancing should be possible. This will depend on whether you want an active active or active passive setup.

If you are using a routing protocol (e.g. RIP, EIGRP etc), you can use the offset-list command on the routing process definition to increase the cost of the backup channel so that it does not come on unless the best cost link is gone down. I  have attached a document to show how the offset-list command can be used.

You can also use static routes to load balance your WAN channels.  The concept is the same, i.e. whether you want an active active or active passive setup. By using static route and playing with the Administrative Distance (AD), you should be able to achieve this goal.

The example belows show load balancing to the same destination but one of the links has a higher AD:

ip route
ip route 5

The route with the lower AD, i.e. via will be preferred.


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.