Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Configure a Site-to-Site VPN with Backup route

Status
Not open for further replies.
Minue

Minue

Technical User
Dec 30, 2005
1,052
IT
Hello Guys
Would some one be kind enough to tell me if it's possible to configure 3 Cisco router in a Triangle with Site-to-Site VPN.Where the network behind (Router A )has to access a Server behind (Router B)and when the route between (Router A and B) goes down the (network A) uses the route via (Router C) to get to the Server behind (Router B).I hope I have made myself clear.In other words the route via Router C is just for backup.
If possible such a configuration would it be difficult to configure.I have search the web but could find any diagrams of such a network using VPN.I hope it's possible.
Best regards
 
Sort by date Sort by votes
Thanks a million DanInRaleigh.Sound like a good idea!Will give a shot in my lab and see if it works.
Best Regards
 
Upvote 0 Downvote
Yes. Create a Lan2Lan vpn to each site. Essentially making a triangle. Then use ip routes with costs to setup the primary and secondary routing.

You'll need to ensure that all 3 routers have route entries for all other sites to ensure that they know how to send packets. Also in the ACL's this will be required.
 
Upvote 0 Downvote
Hello Guys
Thanks again so much!I have a sample configuration below.With the laws of routing it seems that it should work,but I am worry because I have never heard anyone taking much about VPN's with backup routes.

hostname RouterA
!
crypto isakmp policy 10
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key cisco address 9.1.1.130
crypto isakmp key cisco address 9.1.1.134
crypto isakmp keepalive 10 10
!
crypto ipsec transform-set esp-tunnel-internet esp-3des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 9.1.1.130
set transform-set esp-tunnel-internet
match address esp-Router-B
!
crypto map vpn 20 ipsec-isakmp
set peer 9.1.1.134
set transform-set esp-tunnel-internet
match address esp-Router-C
!

interface Serial1/0:0
ip address 9.1.1.22 255.255.255.252
crypto map vpn
!
interface Ethernet0/0
ip address 10.1.0.1 255.255.255.0
duplex half
!
! Default routes to the Router B&C
ip route 0.0.0.0 0.0.0.0 9.1.1.130 1
ip route 0.0.0.0 0.0.0.0 9.1.1.134 50
!
ip access-list extended esp-Router-B
permit ip 10.1.0.0 0.0.0.255 10.0.64.0 0.0.0.255
ip access-list extended esp-Router-C
permit ip 10.1.0.0 0.0.0.255 10.0.65.0 0.0.0.255


Best regards



 
Upvote 0 Downvote
Be wary of using just floating static routes like this. They, on their own, will not be aware of any upstream network failures and thus this route "ip route 0.0.0.0 0.0.0.0 9.1.1.130 1" will always be used regardless whether 9.1.1.130 is available.

If you do intend to use floating statics, you should also consider deploying a routing protocol like OSPF between each VPN node for full resilience.
 
Upvote 0 Downvote
Hello
Thanks a whole lot for yet another reply.So you are saying that if the route between Router A and B goes down.The RouterA will not route traffic through the 9.1.1.134 gateway?
I wanted to keep things as simple as possible because I am new to VPN solutions and using a dynamic routing protocol will make thing too difficult for me.Any chance of you having a simple configuration with OSPF with IPSEC?Would be much oblige.
Million thanks

 
Upvote 0 Downvote
Why not build GRE tunnels to pass routing information via OSPF, and tunnel IPSec traffic inside the GRE tunnel? I'm sure Cisco has an example of how to build that. This gives you a lot of flexibility and resilience.
 
Upvote 0 Downvote
Hello
Thanks a lot for another solution!The 3 router are using E1 (HDSL) connection (no dedicated lines).Will OSPF be able to route information between routers being there are on different subnets?
Thank in advance
 
Upvote 0 Downvote
Hello
I would like to try the configuration you sent me,but I am a bit confused with a few lines on the Router Rodney
.From my CCNA studies I can understand that loopback0 is necessary when using OSPF.But what's the purpose of Loopback1?Also is the interface Tunnel0 a virtual interface with an ip address of choice?Thanks very much
Best regards

interface Loopback0
ip address 20.20.20.20 255.255.255.0
!
interface Loopback1
ip address 22.22.22.22 255.255.255.0
!
interface Tunnel0
ip address 1.1.1.2 255.255.255.0
 
Upvote 0 Downvote
...i dont think L0 is necesary with ospf..i think you are talking about DR election with ospf/NBMA ...there is other ways you can control that (ip ospf priority..i think)...which i dont think we will need here..
....i think the 22.22.22.22 is for just advertisment purposes and used for testing..could just as well be a "real customer network"
....i'm in the process 2night (my friday night) to put togethor a lab similar to your scenario..
...will let you know my results/findings..

 
Upvote 0 Downvote
Honestly, I would use EIGRP in this situation, unless you have a very good reason to use OSPF. OSPF is a great routing protocol, and we use it within our infrastructure (Beside EIGRP and BGP) but for something as small as this EIGRP would be a better fit, and it would be easier for someone with less experience to configure.

You will still need to create GRE tunnels due to the restrictions of IPSEC much in the same way as using ospf but the configuration would be easier.


Comes down to personal preference however


UnaBomber
ccnp mcse2k
 
Upvote 0 Downvote
Very good Dan, ospf... default priority is 1, max of 255 I believe, favors highest priority. (Double checking) Yes, that's right.

Loopback addr's can be a good idea because it picks the highest loopback for a router ID which can made it easy to identify.

As for EIGRP, I suppose why not? Good idea; very good routing protocol for small networks. However, if your routers are old and/or taxed for memory/processor power, igrp or rip would work.
 
Upvote 0 Downvote
Your better of using the ospf router-id cmd for iding your routers, and using the loopback for other more valuable and scalable purposes. Such as management or monitoring interfaces

UnaBomber
ccnp mcse2k
 
Upvote 0 Downvote
thanx UnaBomber,

i have been working all night in lab to try to meet Minue's objective. Just got the DMVPN working. dynamic updates and all (eigrp) but it does not meet the criteria as it is hub and spoke. I want to see if i can add a stand alone IPSEC tunnel between the spokes (b & c)..and somehow advertise between the two if somehow an upstream link goes down between one of the spokes and hub.

...i'm using 2600's with max security IOS..not even sure if a cisco vpn client has the capability to connect..that will be another "miss" if it doesnt..

..any comments...ideas??

 
Upvote 0 Downvote
Hello
Thanks DanInRaleigh Dan for all your efforts you are very kind.Big thanks to the others guys as well.
So it looks like it's impossible to create a network like the the one I have to create.Maybe that's why I can't find any example by Cisco or even in the VPN books that I have read.Anyway if you happen to resolve something I would still like to know.
The EIGRP configuration example that UnaBomber posted uses a point to point serial line.But I have to go over the Internet.Also will EIGRP an OSPF be able to send routing information over the Internet?

Million thanks

 
Upvote 0 Downvote
Dude! i aint give up yet...well have to today..have to go to sleep ;-(

..check this one out...


..my lab is kinda based off it...

..i am using in lab (ethernet)...probably any link encapsulation will work ..as all you will need is public reachable ip addresses..
...and eigrp is advertising nicely...



 
Upvote 0 Downvote
Hello Dan
Don't lose your sleep for me ;-)Well I seems that DMVPN is the only way to go ,but I still can't find an example with a redundant route.It hard to accept that it's not possible being that Cisco Router an IOS are sp flexible :-(
Thank again
Best regards
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
565
madwok
madwok
CPM86
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
310
CPM86
CPM86
B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
214
badwolf1686
B
jobsp90
  • Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
238
DavetheChef
DavetheChef
Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
403
Luzbel
Luzbel

Part and Inventory Search

Sponsor

Back
Top