backup tunnel configuration

Ran into a snafu on this one. Wanted to set up a backup route to a multilink int addr that is the customers primary internet link and which terminates several ipsec tunnels. i successfully created a backup route to that addr via a backup dsl link - connected to a lan int on the router, but, upon testing - shutting down multilink int on the provider side - it seems that addr is not reachable, presumably because the interface is administratively down. So, I'm wondering if a) i can just set up secondary tunnel endpoints on the remote tunnel devices via the backup lan interface addr and apply the same crypto map to the backup lan interface or b) i should terminate the tunnels on a loopback addr. Or perhaps there's a better solution I can't think of.

If you're doing what I think you are doing, you need to remember that both endpoints of the IPsec tunnel must be public IPs and the pair must unique. Generally, unless the IPSec tunnel endpoints are BGP multihomed, you will need to set up independent IPSec tunnels for each path.

You will also need a mechanism that allows both ends of the link to reliably detect when the preferred IPSec tunnel is no longer available. You can use a routing protocol through a GRE tunnel, BGP directly across the IPsec tunnel, GRE keepalives, or any other convenient technique supported on the platform and IOS of your choice. Cisco's has several examples of OSPF and EIGRP through GRE tunnels through IPSec tunnels on

formatting link

although last time I checked (admittedly, years ago) there were typos or omissions in the sample configurations which would prevent them from working verbatim. There is also a discussion of alternative approaches, with working examples, in a white paper on my web site.

Good luck and have fun.