+1 to KISS principal using virtual-template ints and statics, however next-hop reachability is somewhat obtuse unaided by gre keepalives or other end to end reachability determination.
Also, +2 to DMVP (which is multipoint gre aided by nhrp) + some flavor of IGP on top. Everyone knows that one working remote site vpn invites more, especially when the bossman learns of how well it all works. Imho, working igp + handy, simple metrics (for when you add multiple hubs and have some HA for the end sites) is worth the extra mtu and related overhead. -Tk -----Original Message----- From: "Sercan Aktas" <sak...@thrupoint.net> Date: Sat, 29 May 2010 18:15:08 To: <cisco-nsp@puck.nether.net> Subject: Re: [c-nsp] Redundant VPN w/ Cisco Routers Hi Garry, If you have only two sites, you can consider VTIs, which will help you get rid of the additional GRE overhead and provide you with pretty much the same functionality as GRE over IPSec. On the local router you can setup two static VTI tunnels. The remote site router with static IP can also have a static VTI and the other remote router with dynamic IP can have dynamic VTI. The only drawback of VTI's compared to GRE is that they only support IP (unicast & multicast), whereas GRE can support non-IP protocols. If you don't have too many networks to be advertised, go for static routing. If you have multiple networks to then RIPv2 would be the best solution. One other thing to consider from the remote site perspective is which router would actively be forwarding traffic. GRE keepalives could help you on that, but they are not compatible with tunnel protection. So you can rely on dynamic routing with a floating static route (with a high AD) that could point towards the standby router, hence the second tunnel. I hope this helps and can give you some ideas. Sercan -----Original Message----- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Garry Sent: Saturday, May 29, 2010 8:19 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Redundant VPN w/ Cisco Routers Hi, I've received a request about setting up a redundant VPN between two sites ... remote site has two routers connected to two separate lines, one with static IP, the other dynamic. Local site has a single router with two links, both static IPs. HW used is a 1841 locally, remote has an 887 and 878 ... As I can't use the same internal IP ranges for both VPNs, I was thinking about setting up something along this idea: - put in some loopback IP, e.g.: 10.0.0.1 for local site, 10.0.1.1 for remote router 1, 10.0.1.2 for remote router 2 - set up IPSEC VPNs for 10.0.0.1-10.0.1.1 and 10.0.0.1-10.0.1.2 - run GRE tunnels over those IPSEC tunnels - use some IGP over the tunnel (and between the two remote routers) to route the actual LANs Does this sound like a feasible solution, or is there a better way to set this up? I've looked around a bit on the 'net, but apart from some people asking for similar solutions (and usually not getting an answer) I couldn't find anything ... Tnx, Garry _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note:The information contained in this message may be privileged and confidential and protected from disclosure . If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thankyou. ThruPoint Ltd. _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
