Build two IPSEC tunnels to the same destination (HQ) on R1.
put a global PBR, for all traffic going sourced S0/0 set interface
S0/0, and traffic sourced from S0/1 set interface S0/1.
You would need to use two different crypto maps, with corresponding
local-interfaces.
I have not tested it in production, but if it does not work out then
try two GRE tunnels and then encrypting the GRE with IPSEC.
then in the global policy you would need say this kind of route-map
access-list 101 permit ip host <s0/0-ip> host <hq-ip>
access-list 102 permit ip host <s0/1-ip> host <hq-ip>
route-map PBR 10 permit
match address 101
set interface s0/0
route-map PBR 20 permit
match address 102
set interface s0/1
therefore you will have two GRE Tunnels encrypted by IPSEC, and easy
to make redundancy by just putting floating static routes or even put
dynamic routing on it.
Just consider MTU as well, as it will have ESP/GRE...
Regards,
On Tue, Nov 30, 2010 at 10:05 PM, George Goglidze <goglidze_at_gmail.com> wrote:
> what is the actual problem of building two different IPSEC
>
> On Tue, Nov 30, 2010 at 6:07 PM, ehtesham ali <conect2ehtesham_at_gmail.com> wrote:
>> hi group,
>> we have the following senario r1, and r2 are multihomed to two regional
>> isp as shown.
>>
>> [r1] s0----------------------------------->primary isp A
>> [ ] s1----------------------------------->backup isp B
>>
>> [r2] s0/0-------------------------------> primary isp A
>>
>> r1 and r2 faces the internet and connect to HQ using IPSEC vpn.
>>
>> requirements
>>
>> 1)
>> *the primary ipsec tunnel should terminate on R1 s0 interface , *
>> **
>> *on local interface failure OR when line protocol on s0 is down ,*
>> **
>> * backup tunnel should be immediately come up on R1 s1 interface connected
>> to ispB* .
>>
>>
>> 2) *however when R1 itslef fails IPSEC TUNNEL should terminate on R2 s0
>> interface*
>> **
>> does cisco has any feature that can meet my requirements as stated above
>> .(hsrp can only fulfill second cond )
>>
>> also can the solution work with asa ??
>> **
>> if yes plz provide me links
>>
>> Regards
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Tue Nov 30 2010 - 22:12:53 ART
This archive was generated by hypermail 2.2.0 : Sun Dec 05 2010 - 22:14:56 ART