redundat ipsec tunnels with nat

Discussion in 'Cisco' started by jcharth, Oct 3, 2005.

  1. jcharth

    jcharth Guest

    Hello, I have several remote cisco routers and one pix. There are
    crypto map between all the routers routers. the access-list of the
    crypto maps between the routers permit access to the subnet of each
    remote routers. something like this:
    access-list ip permit 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
    is it possible to setup routing so if the connection between x.x.2.x
    and x.x.1.x is faster going through x.x.3.x the packtes would be send
    through a x.x.3.x instead of directly. do i need 2 routers in each site
    to do this? I am think that may be if i add a router behind nat in
    each location using bgp this could be done.
    are there any examples out there for this? or some kind of redundant
    ipsec tunnels?
    thanks.
     
    jcharth, Oct 3, 2005
    #1
    1. Advertisements

  2. You have an interesting challenge. If by "faster" you mean higher
    bandwidth or lower delay, then you have a fighting change using
    routing protocols to make the decision. If by "faster" you mean
    the loading on the link is slowing it down so use an alternate,
    you won't get what you want with a routing protocol (at least not
    safely, although you could try playing with the K factors in EIGRP)
    and you would have to look at a load balancing appliance.

    There should be multiple examples of routing through NAT using GRE
    tunnels on www.cisco.com. It is also possible to route through NAT
    without using GRE tunnels, see the "Reduandant Firewalls" white
    paper on my web site. The white paper on redundant IPsec VPNs there
    should also be useful, but its examples do not deal with NAT.

    Good luck and have fun!
     
    Vincent C Jones, Oct 4, 2005
    #2
    1. Advertisements

  3. jcharth

    jcharth Guest

    thanks for the reply, I am not really experience with GRE tunnels. May
    be you can answer a simple question. If I have a mesh of 10 routers,
    how many tunnel interfaces do i need in each router? I tried setting up
    BGP to avoid using the tunnel but i dont think it worked because i was
    unable to ping the inside address of the other routers from any router
    running nat. I got IOS 11.x on most of my routers and only one running
    12.x. Any suggestions.
     
    jcharth, Oct 4, 2005
    #3
  4. :I am not really experience with GRE tunnels. May
    :be you can answer a simple question. If I have a mesh of 10 routers,
    :how many tunnel interfaces do i need in each router?

    9 if you want a classic "Full Mesh".

    If you are looking at a best-case scenario in which you assume that
    all the links work fine all the time, and you want all the hosts to
    be able to exchange data with each other, then you can use a
    star topology (1 tunnel on N-1 of the routers, N-1 tunnels on 1
    of the routers). Alternately, you can use a ring topology (a forward
    link and a backward link on each router.)

    If you are assuming that some of the links might fail sometimes,
    then you need to define the degree of failure that you are trying
    to protect against. Are you trying to protect against any one
    router failing? Against any two? Are you trying to minimize routing
    costs dynamically, with the possibility that up to M routers might fail?

    :I tried setting up
    :BGP to avoid using the tunnel but i dont think it worked because i was
    :unable to ping the inside address of the other routers from any router
    :running nat. I got IOS 11.x on most of my routers and only one running
    :12.x. Any suggestions.

    Well, -I- would suggest upgrading to IOS 12.3(something) or
    12.4, and using the new Dynamic Mesh VPN feature. On the other
    hand, I do have the advantage that the argument "It's costing more
    in terms of my salary to keep going with the old equipment than
    it would cost to upgrade the equipment" does work (eventually.)
     
    Walter Roberson, Oct 5, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.