Responses in line 1. what do I do for Redundancy, ( VPN Redundant Bundle)
It runs VRRP for concentrator redundancy. For user sessions you make a cluster using VCA under "Configuration | System | Load Balancing". For redundancy on LAN to LAN tunnels its much harder.. They way the concentrator does lan to lan, you have to configure the lan to lan tunnel with the IP of who the peer is going to be speaking to. Also the VRRP master IP MUST be the main concentrators, ip's. This means you need to take the backup concentrator offline (the vrrp slave), change its ip's to the primaries, and configure the lan to lan rules WHILE its using the master's IPs. This is so it will have a correct SA database stored in its config. You then change its ip's back to the ones it uses while its a backup. Put in back online with the different ip's and continue vrrp. Just be careful not to change any lan to lan configs while the slave is using its main ip's. When the primary fails the slave assumes the master's ips for ipsec related protocols. http admin still works using the slave ip's. I wish cisco would come up with a way to replicate the config over the wire ? Any one from cisco care to join in.... 2. Load balancing See above. 3. Where to put the Concentrator ( prefer putting the VPN Concetrator behind Firewall).What are issues I will have to consider if I put the concentrator behind Firewall. You can do either. If its behind a firewall you need to open IP Protocol 50 (ESP) and UDP port 10000 (IPSEC/UDP). This is what the concentrator needs out of the box. You may also need to open TCP ports, if you run IPSEC/TCP for your pat users. I would put the concentrator behind the fw, for protection from dos attacks and similar stuff that is possible. One caveat is to make sure you dont run nat on the VPN concentrator (i.e. use public ip's behind your FW) the concentrator DOES NOT like double nat, even with the new 3.6 Code which supposedly provides "IPSec over NAT-T". Tested it, still works best with public IP's everywhere.. Maybe pat at the remote side. Thanks, Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59006&t=58982 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
