Cisco IPSec Tunnel

I'm interested in setting up an IPSec tunnel between a Cisco 861 router, and an ASA.

The reason for this, is that the site to site link for my LAN traffic is very slow... I want to try and balance some of this LAN traffic over the tunnel, and hopefully improve quality of service.

First and foremost, is it even possible for the router to load balance between the two gateways?  Is it possible for me to set the route with a very similar metric, so that connections get fired through each pipe more or less evenly?

Secondly, I have a config that I'm pretty sure I can use (googled it and found the cisco documentation).  Once I know whether it is possible or not, I would be potentially inclined to get some assistance, should the config not work.


There are currently two connections at the off-site location.  One ADSL connection (currently just running as a default route for anything not directed to the subnet), and one site-to-site connection for anything directed to the subnet.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


I am not sure I understand your question very well but I can see two things:

(1) VPN, branch (Cisco 861) to VPN concentrator / server (Cisc ASA). Technically, this be no issue because the server is the end point, i.e. terminates the VPN traffic. I have not terminated on the server before but I have done main to branch where both sites are Customer Premises Equipments (CPEs). In my case, I used the GRE tunnel and it worked.

(2) Load balancing should be possible. This will depend on whether you want an active active or active passive setup.

If you are using a routing protocol (e.g. RIP, EIGRP etc), you can use the offset-list command on the routing process definition to increase the cost of the backup channel so that it does not come on unless the best cost link is gone down. I  have attached a document to show how the offset-list command can be used.

You can also use static routes to load balance your WAN channels.  The concept is the same, i.e. whether you want an active active or active passive setup. By using static route and playing with the Administrative Distance (AD), you should be able to achieve this goal.

The example belows show load balancing to the same destination but one of the links has a higher AD:

ip route
ip route 5

The route with the lower AD, i.e. via will be preferred.



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.