Redundant VPN

Discussion in 'Cisco' started by al, Feb 7, 2004.

  1. al

    al Guest

    Hi all,
    We would like to setup a redundant VPN from our HQ to our other also large
    remote site.
    We were thinking of using two inside routers and two PIXs on each site.
    The two inside routers are setup for HSRP with one active and a backup and
    also a GRE tunnel that will travel inside the IPSEC tunnel because we have
    Netware 4 servers that still use IPX.
    The two PIXs will be configured with IPSEC to each of the two PIXs on the
    other site.
    HSRP will track the routers outside interface and also the tunnels.
    Here's the scenario:
    We would like the active connections to always be from HQ PIX1 to Remote
    PIX1 using Tunnel1.
    If HQ PIX1 fails, HQ PIX2 will take over and connect to Remote PIX1 using
    Tunnel2.
    If Remote PIX1 fails, Remote PIX2 will take over and connect to HQ PIX1
    using Tunnel3.
    Is that doable?

    Walter, I know you will have some comments on this.
    Thanks in advance,
    Al
     
    al, Feb 7, 2004
    #1
    1. Advertising

  2. In article <pj5Vb.22357$>,
    al <> wrote:
    >Hi all,
    >We would like to setup a redundant VPN from our HQ to our other also large
    >remote site.
    >We were thinking of using two inside routers and two PIXs on each site.
    >The two inside routers are setup for HSRP with one active and a backup and
    >also a GRE tunnel that will travel inside the IPSEC tunnel because we have
    >Netware 4 servers that still use IPX.
    >The two PIXs will be configured with IPSEC to each of the two PIXs on the
    >other site.
    >HSRP will track the routers outside interface and also the tunnels.
    >Here's the scenario:
    >We would like the active connections to always be from HQ PIX1 to Remote
    >PIX1 using Tunnel1.
    >If HQ PIX1 fails, HQ PIX2 will take over and connect to Remote PIX1 using
    >Tunnel2.
    >If Remote PIX1 fails, Remote PIX2 will take over and connect to HQ PIX1
    >using Tunnel3.
    >Is that doable?
    >
    >Walter, I know you will have some comments on this.
    >Thanks in advance,
    >Al


    Very much doable. To the extent that I don't understand where you
    think you're going to have any trouble. You have enough routers and
    PIXen to set up unique GRE tunnels for each possible path and not
    requiring load sharing makes the selection of alternate routes a simple
    matter of manually setting the route metrics for each tunnel.

    The only ways I can see you getting into trouble are if you are
    using OSPF for all your routing and all routers are in the same area
    ( avoiding recursive routing failures without using route filters
    is tricky) or you have brain-dead IP applications to support in
    addition to IPX which can't do path MTU discovery correctly (which
    makes default GRE tunnels a challenge).

    Good luck and have fun!
    --
    Vincent C Jones, Consultant Expert advice and a helping hand
    Networking Unlimited, Inc. for those who want to manage and
    Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    http://www.networkingunlimited.com
     
    Vincent C Jones, Feb 7, 2004
    #2
    1. Advertising

  3. In article <pj5Vb.22357$>,
    al <> wrote:
    :We would like to setup a redundant VPN from our HQ to our other also large
    :remote site.

    :Walter, I know you will have some comments on this.

    Not I -- I just discovered that there was a slip and Vincent's book
    didn't get ordered for me. No wonder it was taking so long to
    arrive!
    --
    I wrote a hack in microcode,
    with a goto on each line,
    it runs as fast as Superman,
    but not quite every time! -- Don Libes et al.
     
    Walter Roberson, Feb 7, 2004
    #3
  4. al

    al Guest

    Thanks for the reply guys.
    I will start implementing this and I hope it goes well.
    -Al

    "Vincent C Jones" <> wrote in message
    news:c0323e$54n$...
    > In article <pj5Vb.22357$>,
    > al <> wrote:
    > >Hi all,
    > >We would like to setup a redundant VPN from our HQ to our other also

    large
    > >remote site.
    > >We were thinking of using two inside routers and two PIXs on each site.
    > >The two inside routers are setup for HSRP with one active and a backup

    and
    > >also a GRE tunnel that will travel inside the IPSEC tunnel because we

    have
    > >Netware 4 servers that still use IPX.
    > >The two PIXs will be configured with IPSEC to each of the two PIXs on the
    > >other site.
    > >HSRP will track the routers outside interface and also the tunnels.
    > >Here's the scenario:
    > >We would like the active connections to always be from HQ PIX1 to Remote
    > >PIX1 using Tunnel1.
    > >If HQ PIX1 fails, HQ PIX2 will take over and connect to Remote PIX1 using
    > >Tunnel2.
    > >If Remote PIX1 fails, Remote PIX2 will take over and connect to HQ PIX1
    > >using Tunnel3.
    > >Is that doable?
    > >
    > >Walter, I know you will have some comments on this.
    > >Thanks in advance,
    > >Al

    >
    > Very much doable. To the extent that I don't understand where you
    > think you're going to have any trouble. You have enough routers and
    > PIXen to set up unique GRE tunnels for each possible path and not
    > requiring load sharing makes the selection of alternate routes a simple
    > matter of manually setting the route metrics for each tunnel.
    >
    > The only ways I can see you getting into trouble are if you are
    > using OSPF for all your routing and all routers are in the same area
    > ( avoiding recursive routing failures without using route filters
    > is tricky) or you have brain-dead IP applications to support in
    > addition to IPX which can't do path MTU discovery correctly (which
    > makes default GRE tunnels a challenge).
    >
    > Good luck and have fun!
    > --
    > Vincent C Jones, Consultant Expert advice and a helping hand
    > Networking Unlimited, Inc. for those who want to manage and
    > Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    > http://www.networkingunlimited.com
     
    al, Feb 10, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Charles Jennings

    Redundant VPN with IBGP - Newbie Question

    Charles Jennings, Jun 3, 2004, in forum: Cisco
    Replies:
    1
    Views:
    614
    Vincent C Jones
    Jun 4, 2004
  2. Stuart Kendrick

    redundant switches / redundant server NICs

    Stuart Kendrick, Aug 9, 2004, in forum: Cisco
    Replies:
    4
    Views:
    4,538
    Stuart Kendrick
    Aug 10, 2004
  3. Mephesto
    Replies:
    0
    Views:
    1,090
    Mephesto
    Jun 29, 2005
  4. Replies:
    1
    Views:
    2,489
  5. Redundant VPN config

    , Jun 8, 2006, in forum: Cisco
    Replies:
    2
    Views:
    3,156
Loading...

Share This Page