GRE over IPSec question

Hi all-

I am attempting to setup a failover connection for work, and have a few questions I am unsure about.

First, a little about my situation:

We currently have a WAN setup between multiple sites (T1's) on a private network, and an internet facing T1 coming in via an additional non-private T1 at our main site. We are currently looking at implementing failover DSL links from our remote sites to our main site (over the internet). Additionally, we are running OSPF.

So far, we are planning on using VPN connections from the DSL lines, which will start at the remote router, and terminate at a firewall behind our Internet T1. However, to propogate OSPF routes over the VPN, GRE is needed, which our firewall does not support.

To remedy this, I was thinking it might work to terminate the VPN at our firewall, and still pass the GRE traffic to an internal router which does support GRE, and which can then pass any OSPF routes over the GRE/IPSec link.

First of all, is this possible? One of the problems I am running into is that the routers on both sides (remote and internal) are connected via the private WAN link, so I would have to figure out a way to make the tunnel go through the VPN and not the WAN link, any suggestions? I would prefer to stay away from static routes if possible.

A little visual aid:

[Remote Cisco router]=-=-=-=[Firewall]-----[Internal Cisco Router]

------: GRE =-=-: GRE/IPsec


Reply to
Loading thread data ...

I have implemented something similar, but not identical to your problem.

Here is my architecture

router-----------BGP routing MPLS network----------------router | | firewall============IPsec tunnel across internet========firewall

We set up a GRE tunnel between loopbacks on the two routers. A static route on each router gives the next hop for the remote loopback address as the local firewall. The IPsec tunnel is simple, just carrying traffic between the loopbacks over the GRE tunnel.

We run both BGP and OSPF on the routers, with the BGP for the MPLS and the OSPF over the tunnel. The preferred route is over the MPLS WAN. It is not necessary to use multiple routing protocols, but this makes our config with IPsec backup very similar to our existing configs with ISDN dialup.

Hope this helps


Reply to
peter Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.