2

I'm a bit of a VPN newbie, so please go easy on me ...

I'm trying to use the VPN trunking capabilities of the DrayTek Vigor 2930 firewall to bond two IPSec VPN connections to a Cisco ASA 5520 device and I'm getting myself tied in knots and hope someone here with more knowledge / experience can help.

I have a remote site with two ADSL connections and the DrayTek box. The main office site has the Cisco ASA device. I am able to setup a single IPSec connection between the two sites on either of the ADSL connections' public IP addresses, but as soon as I try to use the VPN bonding, nothing works. The VPN tunnels are both still up, but the traffic is getting lost somewhere. I suspect it's due to the ASA not knowing how to route the traffic back over the VPN - one minute, traffic from my remote office's network is coming from public ip address #1, the next it's coming from public address #2 and it doesn't know what to do. Well, that's my newbie impression of what's going wrong, but I don't really know:

  1. If this is really what's happening

  2. If what I'm trying to do (bond two VPN connections from a single remote network to improve the bandwidth / resiliency) is possible with the kit I've got

Could anyone help?

David Heggie
  • 222
  • 1
  • 3
  • 14
  • This really has me scratching my head here. Does the ISP support bonded DSL connections? It would be so much easier with one tunnel when the two endpoints are dissimilar platforms. – SpacemanSpiff Jan 26 '12 at 14:37
  • 'Fraid not, the ISP doesn't support that - it was the specific claims of the Vigor box (see here http://www.draytek.co.uk/products/vigor2930.html under VPN Trunking) that made me think this was possible. – David Heggie Jan 26 '12 at 14:38
  • I would think the ASA will support equal cost multi path, and just load balance the two pipes when it has two routes to the same destination with the same weight. If the Draytek is using some kind of protocol to do it, then it may not work with the ASA if it's proprietary. – SpacemanSpiff Jan 26 '12 at 14:42
  • @SpacemanSpiff Problem is that the ASA's IPsec VPN stuff is all policy-based, not route-based - no metrics, just triggers the first policy that matches the traffic in the crypto map. David, what's the ASA give you from `show crypto ipsec sa`? – Shane Madden Jan 26 '12 at 18:09
  • Hrmm... run a GRE tunnel over it? :) – SpacemanSpiff Jan 26 '12 at 19:49
  • @SpacemanSpiff If only - won't do GRE either. They're pretty limited in their VPN capabilities for a "security appliance", when compared to Cisco's routers.. – Shane Madden Jan 26 '12 at 23:40

2 Answers2

1

Been looking at the trunked VPN and from my understanding you have to have two draytek units - one at each end to use this.

nuttynat
  • 11
  • 1
0

Yes, you need a Draytek at each end, you might be able to hack something together but it would probably be worth a phone call to Draytek if you were going to do that.

Nathan Gautrey
  • 1