[VPN] IPSec tunnel failover

Jean-Francois Dive jef at linuxbe.org
Fri Mar 4 00:38:13 EST 2005


routing wise, this is not great. the vpn does not appear as a private
link anymore, routing policy become quite ugly as you have to run bgp
(why bgp by the way ? an IGP sounds the way to go) on your external
interface + set bgp multi-hop and so forth in the case you describe.

On Tue, Mar 01, 2005 at 09:37:18AM -0000, Trevillion, Alan wrote:
> As said already I know the Cisco will support routing protocols through
> GRE, however I don't think you'll need this if running BGP through the
> IPSec Tunnel, BGP uses a TCP port so GRE may not have to be used. If you
> are running a Checkpoint Firewall on the nokia, I don't think the native
> VPN features will work so you may have to use a Checkpoint -> Cisco
> solution. I have never tested BGP from CP->Cisco but would be very
> interested if it works.
> 
> -----Original Message-----
> From: vpn-bounces+alan.trevillion=bankofamerica.com at lists.shmoo.com
> [mailto:vpn-bounces+alan.trevillion=bankofamerica.com at lists.shmoo.com]
> On Behalf Of Jean-Francois Dive
> Sent: 01 March 2005 05:59
> To: ADiaz at t-systems.com
> Cc: vpn at lists.shmoo.com
> Subject: Re: [VPN] IPSec tunnel failover
> 
> 
> the cisco way of achieving this is to use gre + transport mode +
> whatever classic routing management you could come up with. As of the
> nokia support of such scenario, i dont really know.
> 
> On Wed, Feb 09, 2005 at 07:13:38PM +0100, ADiaz at t-systems.com wrote:
> > 
> > VPN Wizards,
> > I have been  tasked to configure IPSec tunnels from a remote site 
> > (1751 w/Cisco Secure IOS)  terminating on 2 different Nokia IP380 
> > firewalls. The customer is requesting that the traffic be divided into
> 
> > the tunnels by certain traffic type. One tunnel will transport SAP, 
> > terminating on 1 firewall and the other tunnel will transport e-mail, 
> > miscelleanous traffic,terminating on the other firewall. They also are
> 
> > requesting that in the event that one tunnel fails the traffic of the 
> > failed tunnel be automatically re-routed to the other available 
> > tunnel. Can anyone let me know if this is feasible and how it is done.
> 
> > Do I need additional hardware or sofware to resolve this request?
> > 
> > Thanks,
> > 
> > al
> > _______________________________________________
> > VPN mailing list
> > VPN at lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn
> 
> -- 
> --
> 
> -> Jean-Francois Dive
> --> jef at linuxbe.org
> 
>   I think that God in creating Man somewhat overestimated his ability.
>     -- Oscar Wilde _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
> 
> 
> 
> Notice to recipient:
> The information in this internet e-mail and any attachments is confidential and may be privileged. It is intended solely for the addressee. If you are not the intended addressee please notify the sender immediately by telephone. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful.
> 
> When addressed to external clients any opinions or advice contained in this internet e-mail are subject to the terms and conditions expressed in any applicable governing terms of business or client engagement letter issued by the pertinent Bank of America group entity.
> 
> If this email originates from the U.K. please note that Bank of America, N.A., London Branch, Banc of America Securities Limited and Banc of America Futures Incorporated are authorised and regulated by the Financial Services Authority.

-- 
--

-> Jean-Francois Dive
--> jef at linuxbe.org

  I think that God in creating Man somewhat overestimated his ability.
    -- Oscar Wilde



More information about the VPN mailing list