Dual IPSEC tunnels

Discussion in 'Cisco' started by Can2002, Sep 13, 2006.

  1. Can2002

    Can2002 Guest

    One of our remote sites links into our head office via an IPSEC VPN
    established between a 2600 router (branch) and VPN 3000 concentrator
    (hq). The link is currently configured using static crypto maps on the
    2600 and a Lan-to-Lan definition on the concentrator.

    I need to provide some additional bandwidth as as a quick and dirty
    approach I was planning on adding a second ADSL link at the branch
    office. My plan is to define two crypto maps on the 2600, one matching
    the majority of remote hosts and a second matching one particular host.
    I'll define the appropriate configuration on the concentrator too, so
    it knows which link to send traffic down.

    The one thing I'm unsure of is how to configure the 2600 to route
    traffic for each tunnel. Obviously I want it to route the IPSEC
    traffic for tunnel 1 down the first ADSL link, while the other tunnel
    is routed via the second DSL link.

    I'm guessing I need to configure policy based routing based on source
    IP, but I'm not certain.

    Any help would be gratefully received!

    Regards,
    Chris
     
    Can2002, Sep 13, 2006
    #1
    1. Advertising

  2. Can2002

    Guest

    Can2002 wrote:
    > One of our remote sites links into our head office via an IPSEC VPN
    > established between a 2600 router (branch) and VPN 3000 concentrator
    > (hq). The link is currently configured using static crypto maps on the
    > 2600 and a Lan-to-Lan definition on the concentrator.
    >
    > I need to provide some additional bandwidth as as a quick and dirty
    > approach I was planning on adding a second ADSL link at the branch
    > office. My plan is to define two crypto maps on the 2600, one matching
    > the majority of remote hosts and a second matching one particular host.
    > I'll define the appropriate configuration on the concentrator too, so
    > it knows which link to send traffic down.
    >
    > The one thing I'm unsure of is how to configure the 2600 to route
    > traffic for each tunnel. Obviously I want it to route the IPSEC
    > traffic for tunnel 1 down the first ADSL link, while the other tunnel
    > is routed via the second DSL link.
    >
    > I'm guessing I need to configure policy based routing based on source
    > IP, but I'm not certain.
    >
    > Any help would be gratefully received!


    Sounds to me like Policy Based Routing would do what you want.
    No idea about the 3000 concentrator end though.
    If your 2600 does not have crypto hardware then you should check
    the CPU? I have one that is used as a backup link and
    it maxes out the cpu when it is used. Its so bad that it is
    in my view not worth having but the management disagree.
     
    , Sep 13, 2006
    #2
    1. Advertising

  3. Can2002

    Darren Green Guest

    <> wrote in message
    news:...
    >
    > Can2002 wrote:
    >> One of our remote sites links into our head office via an IPSEC VPN
    >> established between a 2600 router (branch) and VPN 3000 concentrator
    >> (hq). The link is currently configured using static crypto maps on the
    >> 2600 and a Lan-to-Lan definition on the concentrator.
    >>
    >> I need to provide some additional bandwidth as as a quick and dirty
    >> approach I was planning on adding a second ADSL link at the branch
    >> office. My plan is to define two crypto maps on the 2600, one matching
    >> the majority of remote hosts and a second matching one particular host.
    >> I'll define the appropriate configuration on the concentrator too, so
    >> it knows which link to send traffic down.
    >>
    >> The one thing I'm unsure of is how to configure the 2600 to route
    >> traffic for each tunnel. Obviously I want it to route the IPSEC
    >> traffic for tunnel 1 down the first ADSL link, while the other tunnel
    >> is routed via the second DSL link.
    >>
    >> I'm guessing I need to configure policy based routing based on source
    >> IP, but I'm not certain.
    >>
    >> Any help would be gratefully received!

    >
    > Sounds to me like Policy Based Routing would do what you want.
    > No idea about the 3000 concentrator end though.
    > If your 2600 does not have crypto hardware then you should check
    > the CPU? I have one that is used as a backup link and
    > it maxes out the cpu when it is used. Its so bad that it is
    > in my view not worth having but the management disagree.
    >


    I have done this several times but not between a router and a Concentrator -
    always two routers.

    On the router in question I set up 2 x Point to Point Tunnels and used a
    routing protocol to influence all traffic down say the secondary link. I
    then used a route map on the inside interface identifying 'critical traffic'
    and set the IP next hop to be the other end of the primary link - the less
    preferred path.

    Without a routing protocol, how would you control return traffic at the
    Concentrator end. I would be interested in finding out.

    Regards

    Darren
     
    Darren Green, Sep 13, 2006
    #3
  4. Can2002

    Can2002 Guest

    Thanks guys,

    It's good to know I'm going in roughly the right direction!

    The concentrator end is relatively easy while I statically define what
    remote hosts use what tunnel. When I define the LAN-to-LAN session on
    the Concentrator I can specify a list of addresses that sit behind a
    remote peer so I can distribute the traffic as needed.

    I'll have a play!

    Cheers,
    Chris
     
    Can2002, Sep 13, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paul McLaren
    Replies:
    3
    Views:
    3,832
    Paul McLaren
    Jul 17, 2003
  2. Bill F
    Replies:
    6
    Views:
    2,950
    Walter Roberson
    Nov 30, 2003
  3. chackamakka

    Pix with 2 ipsec tunnels

    chackamakka, Jun 11, 2004, in forum: Cisco
    Replies:
    2
    Views:
    2,662
    chackamakka
    Jun 14, 2004
  4. ljorg
    Replies:
    0
    Views:
    524
    ljorg
    Nov 22, 2006
  5. philbo30
    Replies:
    1
    Views:
    692
    Walter Roberson
    Apr 12, 2007
Loading...

Share This Page