Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Site to site VPN Redundancy
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Site to site VPN Redundancy - 16.Sep.2008 5:42:20 PM
|
|
|
tomers@tomers.co.il
Posts: 29
Joined: 1.Nov.2006
Status: offline
|
Hi.
I Have ISA 2006 which has a site to site vpn to a Cisco router on the internet.
I want to have redundancy on the cisco side of the vpn (Two lines - DSL and Cable). In order to accomplish the redudnacy, I have two cisco routers with different lines (DSL and Cable) and different ISP's. The DSL is the main line and the Site to Site VPN with isa is working on that line.
I want to be able to reestablish the VPN with the other Router in case of a problem with the DSL line/router/isp.
That means that in a time of a failover, The peer address is change to the WAN address of the cable line, which means I have to change it manualy on the ISA too...
Is there a way to give the ISA two peer addresses for a case of a fail ?
Thanks.
|
|
|
|
|
RE: Site to site VPN Redundancy - 17.Sep.2008 6:08:37 PM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
This setup requires inserting a Broadband "router" that has dual WAN Ports and is specially design for this purpose. You need one on each end and the device needs to be run in "bridged mode" so that is it "invisible" and is not running any kind of "routing" or "NATing" functions. These devices will sit upstream (outbound) of the ISA and the Cisco VPN router respectively.
If the devices cannot do the load balancing at the same time as running in bridged mode then you are just plain screwed.
You are really using the wrong line technology for this. Cable and DSL are home user technologies and are not capable of the flexability of commercial lines such as T1s that run with "real" routers and CSU/DSUs.
With commercial technology you would have a router (a real router) at your end of connection. These are not NAT boxes, these are not "firewalls". You would run all the T1 lines from the same ISP into the same Router with each line going into its own serial port (s0, s1, s2, etc) via a CSU/DSU [some routers the CSU/DSU is built in]. You then run Dynamic Routing Protocols to handle the load balancing (IGRP for example).
This has to be setup by the ISP because they have to setup their own router at their end to interact with your router to make it happen. Therefore the ISP configures and maintains it if something goes wrong. The VPN Device or the ISA is totally oblivious to any of this happening and will remain unaware.
Now you have to repeat the whole process at the opposite Site between them and their ISP with their T1 lines.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Site to site VPN Redundancy - 19.Oct.2008 6:51:36 AM
|
|
|
adimcev
Posts: 85
Joined: 19.Oct.2008
Status: offline
|
I saw this while I was searching on Google. While it is true what Phillip says about the T1 lines, you can work something with those home technologies. It seems that they are quite popular those days, many people want to pay two pennies and do wonders.
For example Cisco has OER, now named PfR. If you combined that with GRE, you can achieve a sort of load balancing and failover for your VPN s2s connections.
But this is an ISA forum, otherwise it would have been fun to put the Cisco routers through their paces and give them a run for the money.
Adrian
_____________________________
Blog: http://www.carbonwind.net/blog
Get Our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
