The latest network consultancy job we are doing here at Gconnect involves a network designed to provide redundant VPN tunnels between 2 sites using a combination of 5 DSL (cisco 887) routers. The requirements for the job were that in the event of an ADL line failure then the VPN traffic should continue to flow with minimal disruption to the clients. While everything is in normal operation traffic destined for the internet should be routed over a different path than the VPN traffic so keeping an ‘un-contended path’ for the critical site to site traffic. It was decided that we’d use a dynamic routing protocol to make the failover happen nicely and so that dictated that we would need to use a GRE/IPSec type tunnel to make it work! In order to show how these site to site tunnels are made, I’ve made a quick diagram (shown below):
Config for Router 1 shown on the lefthand side:
crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key ******** address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 ! crypto ipsec transform-set GCONNECT esp-aes esp-sha-hmac ! crypto ipsec profile GC-PROFILE set transform-set GCONNECT ! interface Tunnel0 ip address 10.10.10.1 255.255.255.0 ip ospf 1 area 0 tunnel source Dialer0 tunnel mode ipsec ipv4 tunnel destination 1.1.1.1 tunnel protection ipsec profile GC-PROFILE !
Config for Router 2 shown on the righthand side:
crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key ******** address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 ! crypto ipsec transform-set GCONNECT esp-aes esp-sha-hmac ! crypto ipsec profile GC-PROFILE set transform-set GCONNECT ! interface Tunnel0 ip address 10.10.10.2 255.255.255.0 ip ospf 1 area 0 tunnel source Dialer0 tunnel mode ipsec ipv4 tunnel destination 2.2.2.2 tunnel protection ipsec profile GC-PROFILE !
when you now execute a show ip route
the routes show be visible in the table.