From: Administrator (Administrator@StandardAeroTech.ca)
Date: Wed Apr 05 2006 - 12:33:52 GMT-3
Basically the way I do it is as follows . . . ( oh and I appologize in
advance, its easier to diagram or talk it out )
Anyway, head site has a router. Head site has a backup router.
Basics of it is like this.
Remote site has saya 1710 connected to the internet. A GRE VPN Tunnel is
created from the remote site to the head site. A second tunnel is built to
the backup router in the head site also using GRE. Each gre tunnel interface
has its own wan network as well. Keepalives are running on the tunnels as
well.
The remote site router has two tunnels ( running eigrp ) across to two
seperate tunnel enpoints at the main site. I can start a constant ping to the
network across the vpn, and shut the primary vpn router off and the pings 99
out of 100 times dont even miss one. Sometimes they do miss 1 ping.
Now, if you have two routers at the remote side, and two routers at the
central side, its even more redundant. I have a couple of those as well. No
HSRP needed there. These boxes go into a switch that also has routing tables
and such. They get the path information accordingly.
I think this is a pretty crappy description so my appologies. But I hope this
helps a bit Rik. If you have any questions, I will continue to do my best to
answer them. But as I said, I diagram is probably best.
christian
________________________________
From: nobody@groupstudy.com on behalf of Guyler, Rik
Sent: Wed 4/5/2006 9:12 AM
To: 'ccielab@groupstudy.com'
Subject: RE: OT: VPN redundancy
Thanks for the reply. Stateful failover would be nice but I don't consider
it necessary. If the SAs had to be rebuilt on the backup router than that
would happen dynamically and within seconds so the worst case scenario is
something would have to be retransmitted or reconnected.
We'll see. I haven't ruled out the ASA boxes yet but they aren't at the top
of the list. Some of the newer IOS supports SSO failover for IPSEC but
unfortunately not on a 3600 series. I would have to buy to new 3800
routers. Oh darn... ;-)
Rik
-----Original Message-----
From: Alexei Monastyrnyi [mailto:alexeim@orcsoftware.com]
Sent: Wednesday, April 05, 2006 9:50 AM
To: Guyler, Rik
Cc: 'ccielab@groupstudy.com'
Subject: Re: OT: VPN redundancy
Hi.
The problem with redundancy with HSRP+VRRP that it is not a stateful
failover, i.e. if primary fails, secondary has to rebuild tunnels anyway. I
don't know if it is critical for you.
With PIX (and most probably ASA) you have a stateful failover over dedicated
LAN interface. I have 2 PIX 515E in failover mode with 7.1.1 on primary and
7.1.2 secondary. Have a plane to restart the primary to activate 7.1.2 which
is on flash now.
Documentation claims that 7.1 has a VPN stateful failover. 7.0 had really
buggy failover in general, you can have a look at bug fixes.
Let's see if stateful failover for VPN works in 7.1. Will post results as it
happens.
A.
on 05/04/2006 15:28 Guyler, Rik wrote:
> I currently have a 3660 router that terminates nearly 25 vendor VPN
tunnels.
> These tunnels are considered mission critical to our hospital
> operations and so an outage of much duration would be a hardship.
> Even with a 4-hour SmartNet it could take several hours to get this back
up and running.
>
> I'm looking at various redundant setups so I could lose this router
> and still maintain connectivity. Here are the options I have
> considered so far in order of preference:
>
> 1) add a second router and setup HSRP/VRRP on both the inside and
> outside interfaces and terminate the tunnels to the virtual address on the
outside.
>
> 2) setup a pair of ASA5500s and setup failover
>
> 3) setup a second router and build secondary tunnels to each vendor
>
> I like the sound of number one the best but not sure if it will work.
> I'll lab it up to verify that unless somebody can say for sure it
> won't work. I really don't want to move over to the ASA boxes...I
> just love VPN on routers. Secondary tunnels would require a lot of
> work and time so that's really the last option.
>
> Does anybody know of any other possible solutions to throw in the mix?
> Even some outrageous ideas might be fun to try and who knows...might just
work.
> I'm open to any ideas or suggestions at this point!
>
> Thanks!
>
> Rik
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:56 GMT-3