1. Home
  2. Cisco Systems
  3. Dual IPSEC tunnels

Dual IPSEC tunnels

One of our remote sites links into our head office via an IPSEC VPN established between a 2600 router (branch) and VPN 3000 concentrator (hq). The link is currently configured using static crypto maps on the

2600 and a Lan-to-Lan definition on the concentrator.

I need to provide some additional bandwidth as as a quick and dirty approach I was planning on adding a second ADSL link at the branch office. My plan is to define two crypto maps on the 2600, one matching the majority of remote hosts and a second matching one particular host. I'll define the appropriate configuration on the concentrator too, so it knows which link to send traffic down.

The one thing I'm unsure of is how to configure the 2600 to route traffic for each tunnel. Obviously I want it to route the IPSEC traffic for tunnel 1 down the first ADSL link, while the other tunnel is routed via the second DSL link.

I'm guessing I need to configure policy based routing based on source IP, but I'm not certain.

Any help would be gratefully received!

Regards, Chris

Reply to
Can2002
Loading thread data ...

Sounds to me like Policy Based Routing would do what you want. No idea about the 3000 concentrator end though. If your 2600 does not have crypto hardware then you should check the CPU? I have one that is used as a backup link and it maxes out the cpu when it is used. Its so bad that it is in my view not worth having but the management disagree.

Reply to
Bod43

I have done this several times but not between a router and a Concentrator - always two routers.

On the router in question I set up 2 x Point to Point Tunnels and used a routing protocol to influence all traffic down say the secondary link. I then used a route map on the inside interface identifying 'critical traffic' and set the IP next hop to be the other end of the primary link - the less preferred path.

Without a routing protocol, how would you control return traffic at the Concentrator end. I would be interested in finding out.

Regards

Darren

Reply to
Darren Green

Thanks guys,

It's good to know I'm going in roughly the right direction!

The concentrator end is relatively easy while I statically define what remote hosts use what tunnel. When I define the LAN-to-LAN session on the Concentrator I can specify a list of addresses that sit behind a remote peer so I can distribute the traffic as needed.

I'll have a play!

Cheers, Chris

Reply to
Can2002

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.