Redundant Static Route through two IPSec Tunnels

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Redundant Static Route through two IPSec Tunnels

L1 Bithead

Hello All,

I am attempting to setup primary and backup route to the same IP through two different IPSec tunnels. I have attempted both PBF and Static Route Path Monitoring and cant seem to get either to work, in both cases is because there is no IP assigned directly to the tunnel interface.

 

Here's the layout:

Site A

PA-820  Int 3<-------------------> Int 1(Service provider Cisco ISR)  route to 192.168.2.0/24 (Primary)

192.168.1.0/24

IPSec Tunnels to Sites B & C

 

Site B

PA-220  Int 3<-------------------> Int 1(Service provider Cisco ISR)  route to 192.168.2.0/24 (Secondary)

192.168.2.0/24

IPSec Tunnels to Sites A & C

 

 

Sites C

PA-220

192.168.3.0/24

IPSec Tunnels to Sites A & B

 

The outcome I am looking for is any time Site A or C cannot get to the 192.168.2.0 network through Site A that it will automatically start routing 192.168.2.0 traffic to Site B.

 

Same for Site B, anytime it cannot get to 192.168.2.0 through its direct connected route, it will pass that traffic to Site A.

 

The way I have it configured now is with two static routes to 192.168.2.0 with the secondary route having a higher metric and distance but was really wanting a more solid solution that would remove the route the way path monitoring or PBF works.

3 REPLIES 3

Cyber Elite
Cyber Elite

Good Day

 

May I recommend that you simply add an IP address within the tunnel interface, so that you can do tunnel monitoring.

PBF, Static Route Path Monitoring, and Tunnel Monitoring would use IPs for either next hops or monitoring IPs.

 

 

Help the community: Like helpful comments and mark solutions

I did try that. At site A, I added IP 192.168.1.5/24 to the tunnel interface but I get an error that the IP address overlaps with the IP addresses assigned to another interface. How do I fix this?

What I would recommend is to have a subnet (could be /30) that would be unique for each VPN.

So for a single VPN (have a different subnet... 10.99.99.1/30 on one side and 10.99.99.2/30 on the other, and continue to monitor)

 

That would be for tunnel monitoring (under your IPSec configuration)

 

For the static route path monitor, you could have your virtual router "ping" some IP on the remote side of the VPN.
I believe this may alleviate the need to set up tunnel interfaces, or a way to compliment them.

 

What other questions can we answer.

Help the community: Like helpful comments and mark solutions
  • 5028 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!