- IPSec Configuration
- VPN Routing Using Border Gateway Protocol (BGP)
- Implementation Experience
VPN Routing Using Border Gateway Protocol (BGP)
Rather than use a GRE tunnel, you can take advantage of the ability of the Border Gateway Protocol (BGP) to establish routing neighbor relations between non-adjacent routers. Exterior gateway protocols such as BGP are designed to function in an environment where not all routers support the routing protocol.
Using BGP between the routers, you can establish a neighbor relationship and exchange routes as if the two routers actually were adjacent. This is a little bit tricky because you need to configure the route between routers using static routes (BGP won't use a default route). At the same time, you don't want that static route to be used for production traffic; otherwise, it creates a black hole when the VPN goes down. Rather than a static route pointing all traffic to the distant LAN to the IP address of the local firewall VPN interface, you can define a static host route for only the IP address of the LAN interface on the remote router.
Once you have BGP routing exchanges working between the two routers, you can use standard dialer watch or dial-on-demand routing to implement your dial backup. That way, as long as the IPSec tunnel is up, BGP will learn the networks accessible via the VPN, and traffic for systems on the remote LAN can be routed over the VPN. Any time there's a problem with the IPSec tunnel, whether due to firewall, link, or ISP problems, BGP will time out from the lack of hello exchanges, remove the routes from the routing table, and dialer watch will bring up the backup link. Or, if you're using dial-on-demand routing, the floating static route(s) will take over and the next packet destined to the remote side will force up the ISDN link, restoring production communications.