Using a vpn as backup 1

[rcasta]

Can tunnels VPN be setup on demand basis? Or is a VPN connection established between, for instance, a Cisco 8xx and a VPN concentrator a permanent connection?

My questions on this is because I am looking a way of using a broadband connection-which is ADSL-as a backup link. My network already has a way out through a T1 link.

Any pointers will greatly be appreciated.

 

[trailman73]

They are on demand basis. the tunnel will be up only to pass traffic. you can proiritize traffic over the tunnels if you like. setup your ADSL, dialer1 link and make its tunnel priority 2, and the t1 proirity 1.

Geoff

 

[rcasta]

Thank you for quick replying!

cheers,

 

[routerman]

I recently set up a VPN to back up a frame link, used GRE tunnel to pass my EIGRP, works a treat!

 

[rcasta]

Why did you use a GRE tunnel? To maintain a live route through the backup line across the Internet?

Furhter, the ADSL provider will put in an ADSL modem. So an ethernet utp cable will be received instead, which will be connected to a router. But I guess the VPN tunnel sets up defining on the router interesting traffic, doesn't it?

best regards,

 

[routerman]

The network I setup had 2 types of VPN backup. The first was a site to site link, if the main frame relay went down then all traffic was forwarded down the VPN tunnel. This used a combination of HSRP and EIGRP with floating static routes.

The second, this is were I used the GRE was backing up a link between 2 of the core sites, and there was a lot of routing information to send across this link. A basic IPSec tunnel wont allow multicast updates, they get droppe. So I set up EIGRP across a GRE tunnel, the neighbour relationship came up, then I encrypted the tunnel. Now when the main F/R PVC fails EIGRP recnverges to use the tunnel as a backup.
In this case the IPSec tunnel is up all the time due to the EIGRP hello packets.

The router used the crypto ACL to determine if the traffic is to be encrypted or not, if there is a match its stuffed into the tunnel as encrypted data.

 

[rcasta]

Would you mind posting here how you encripted the tunnel?

best regards,

 

[routerman]

rcasta,

Sorry about taking so long to get back to you, here is the configuration from one end to point you in the right direction.

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
lifetime 84600
crypto isakmp key a-secure-key address 194.1xx.1xx.xx
!
!
crypto ipsec transform-set GRE esp-3des esp-md5-hmac
!
!
!
crypto map GRE 10 ipsec-isakmp
set peer 194.1xx.1xx.xx
match address 100
!
!
!
!
interface Loopback0
description loopback
ip address 194.yyy.1zz.126 255.255.255.252
!
interface Tunnel0
description Primary GRE tunnel to Leeds F/R
ip unnumbered Loopback0
keepalive 10 3
tunnel source Loopback0
tunnel destination 192.168.201.1
!
!
!
interface Serial0/0:0
description
ip unnumbered Loopback0
fair-queue
crypto map GRE
!
!
!
!
ip route 0.0.0.0 0.0.0.0 Serial0/0:0
ip route 0.0.0.0 0.0.0.0 Serial0/1:0
!
!
access-list 100 permit gre any any

The idea is that the crypto map peers with a device at the remote site (set peer 194.1xx.1xx.xx) and the crypto ACL (100) applies IPSec to any gre traffic.

 

[rcasta]

Routerman,

Is there a way to set up the same tunnel but with the remote node having a dynamic Ip address???

best regards,

 

[routerman]

Rcasta, I'm not sure if that could be done as the GRE part of the configuration has to have defined IP addresses for the end points. I wonder if this could be done via DHCP or possibly DNS somehow, although I doubt it.

 

[rcasta]

Ok, thank you anyways for taking time in reading this message.

cheers,