Yep,
I see what you're saying.
I set up something similar the other day. I must admit I didn't think too
much about it at the time, and I may just go back and give it a good
testing.
I set up a leased line with an ISDN multilink backup using floating statics.
Configured one policy, key, transform-set, and related access-list. Then
applied the same crypto map to the serial and BRI, just with different peer
IP addresses for Serial and BRI.
I thought at the time about configuring both routers to use the peers
loopback address, but didn't do it eventually.
I think the routers won't care what the path is between them, just that
there is a path and they see the same peer whichever way they are routed.
If anybody can think of problems/side-effects with this set-up, I'd be
grateful to hear.
If not, hopefully I'll get chance to set it up some time next week.
Regards,
Gaz
""John Neiberger"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> That's the heart of my original question, really. I'm fairly new to
> IPSec and I wasn't sure how to configure that. I suppose I could set up
> the same remote peer in two different maps: one for the primary route
> and one for the secondary route.
>
> In that case, would this count as two sessions since there are now two
> active tunnels? I was assuming it would count as two unless the
> secondary tunnel doesn't even come active until traffic is present.
>
> Hmm...interestingly, while typing I realized that due to a quirk in our
> network design, encrypting the traffic while they're on the backup link
> is probably not feasible for the time being so this is almost a moot
> point. It would be nice to know how to configure it when the time
> comes, though.
>
> Thanks,
> John
>
> >>> "Gareth Hinton" 6/22/01 1:50:06 PM
> >>>
> Hi John
>
> Can't you keep the peers down to one per site if you use loopback
> addresses
> on each router as the encryption peer?
>
> Gaz
>
>
> ""John Neiberger"" wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > The '150' number would only be if certain branches had to peer
> twice:
> > once over the primary route and once over the
> secondary-but-always-up
> > route. In actuality, there would still be about 90 peers on that
> single
> > 7513 but the volume of traffic per peer is going to be pretty low.
> It's
> > only tn3270 and DLSw stuff. The rest of the interbranch traffic
> will
> > remain in the clear.
> >
> > Is that still going to be too many peers? I know that the 7513 has
> a
> > card to do hardware encryption. It looks like we may have to check
> into
> > that again.
> >
> > Thanks,
> > John
> >
> > >>> "Dana J. Dawson" 6/21/01 4:38:07 PM >>>
> > IPSec and redundancy is hard. The usual recommendation is to use
> GRE
> > tunnels over IPSec, since the tunnels provide a logical interface
> over
> > which
> > you can run a routing protocol that will provide the redundancy.
> >
> > With plain old IPSec, you use access-lists to specify which traffic
> > goes to
> > which peer, and you can't overlap any of your crypto access-lists
> > (those
> > referenced in a "match address" command in a crypto map). This
> > precludes
> > the possiblity of doing redundancy this way.
> >
> > That being said, you don't want to terminate 150 peers in your 7513,
> > especially if you want that router to do anything else. With this
> > scale of
> > VPN network, you should have a dedicated VPN concentrator.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=9574&t=9225
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
