Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Dual IPSEC tunnels

Reply
Thread Tools

Dual IPSEC tunnels

 
 
Can2002
Guest
Posts: n/a
 
      09-13-2006
One of our remote sites links into our head office via an IPSEC VPN
established between a 2600 router (branch) and VPN 3000 concentrator
(hq). The link is currently configured using static crypto maps on the
2600 and a Lan-to-Lan definition on the concentrator.

I need to provide some additional bandwidth as as a quick and dirty
approach I was planning on adding a second ADSL link at the branch
office. My plan is to define two crypto maps on the 2600, one matching
the majority of remote hosts and a second matching one particular host.
I'll define the appropriate configuration on the concentrator too, so
it knows which link to send traffic down.

The one thing I'm unsure of is how to configure the 2600 to route
traffic for each tunnel. Obviously I want it to route the IPSEC
traffic for tunnel 1 down the first ADSL link, while the other tunnel
is routed via the second DSL link.

I'm guessing I need to configure policy based routing based on source
IP, but I'm not certain.

Any help would be gratefully received!

Regards,
Chris

 
Reply With Quote
 
 
 
 
Bod43@hotmail.co.uk
Guest
Posts: n/a
 
      09-13-2006

Can2002 wrote:
> One of our remote sites links into our head office via an IPSEC VPN
> established between a 2600 router (branch) and VPN 3000 concentrator
> (hq). The link is currently configured using static crypto maps on the
> 2600 and a Lan-to-Lan definition on the concentrator.
>
> I need to provide some additional bandwidth as as a quick and dirty
> approach I was planning on adding a second ADSL link at the branch
> office. My plan is to define two crypto maps on the 2600, one matching
> the majority of remote hosts and a second matching one particular host.
> I'll define the appropriate configuration on the concentrator too, so
> it knows which link to send traffic down.
>
> The one thing I'm unsure of is how to configure the 2600 to route
> traffic for each tunnel. Obviously I want it to route the IPSEC
> traffic for tunnel 1 down the first ADSL link, while the other tunnel
> is routed via the second DSL link.
>
> I'm guessing I need to configure policy based routing based on source
> IP, but I'm not certain.
>
> Any help would be gratefully received!


Sounds to me like Policy Based Routing would do what you want.
No idea about the 3000 concentrator end though.
If your 2600 does not have crypto hardware then you should check
the CPU? I have one that is used as a backup link and
it maxes out the cpu when it is used. Its so bad that it is
in my view not worth having but the management disagree.

 
Reply With Quote
 
 
 
 
Darren Green
Guest
Posts: n/a
 
      09-13-2006

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
>
> Can2002 wrote:
>> One of our remote sites links into our head office via an IPSEC VPN
>> established between a 2600 router (branch) and VPN 3000 concentrator
>> (hq). The link is currently configured using static crypto maps on the
>> 2600 and a Lan-to-Lan definition on the concentrator.
>>
>> I need to provide some additional bandwidth as as a quick and dirty
>> approach I was planning on adding a second ADSL link at the branch
>> office. My plan is to define two crypto maps on the 2600, one matching
>> the majority of remote hosts and a second matching one particular host.
>> I'll define the appropriate configuration on the concentrator too, so
>> it knows which link to send traffic down.
>>
>> The one thing I'm unsure of is how to configure the 2600 to route
>> traffic for each tunnel. Obviously I want it to route the IPSEC
>> traffic for tunnel 1 down the first ADSL link, while the other tunnel
>> is routed via the second DSL link.
>>
>> I'm guessing I need to configure policy based routing based on source
>> IP, but I'm not certain.
>>
>> Any help would be gratefully received!

>
> Sounds to me like Policy Based Routing would do what you want.
> No idea about the 3000 concentrator end though.
> If your 2600 does not have crypto hardware then you should check
> the CPU? I have one that is used as a backup link and
> it maxes out the cpu when it is used. Its so bad that it is
> in my view not worth having but the management disagree.
>


I have done this several times but not between a router and a Concentrator -
always two routers.

On the router in question I set up 2 x Point to Point Tunnels and used a
routing protocol to influence all traffic down say the secondary link. I
then used a route map on the inside interface identifying 'critical traffic'
and set the IP next hop to be the other end of the primary link - the less
preferred path.

Without a routing protocol, how would you control return traffic at the
Concentrator end. I would be interested in finding out.

Regards

Darren


 
Reply With Quote
 
Can2002
Guest
Posts: n/a
 
      09-13-2006
Thanks guys,

It's good to know I'm going in roughly the right direction!

The concentrator end is relatively easy while I statically define what
remote hosts use what tunnel. When I define the LAN-to-LAN session on
the Concentrator I can specify a list of addresses that sit behind a
remote peer so I can distribute the traffic as needed.

I'll have a play!

Cheers,
Chris

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Number of IKE Tunnels and IPSec Tunnels philbo30 Cisco 1 04-12-2007 02:16 AM
Tunnels accesing other tunnels on concentrator ljorg Cisco 0 11-22-2006 01:43 PM
Pix with 2 ipsec tunnels chackamakka Cisco 2 06-14-2004 07:03 AM
PIX MIB to monitor ipsec tunnels Bill F Cisco 6 11-30-2003 01:07 AM
Bandwidth usage on PIX to PIX ipsec vpn tunnels Paul McLaren Cisco 3 07-17-2003 09:58 PM



Advertisments