Floating static routes for VPN backup connectivity

[tNscheffer]

I wasn't sure which forum to put this in so I have placed it here and in the VPN forum. I hope that is OK.

I have a central location and four remote locations with a router at each location. I will have private leased lines for main WAN connectivity. I will also be using IPsec over GRE for VPN backups from each location to the central location over the public IP cloud. My plan is to configure EIGRP on each of the routers as well as "floating static routes" for the GRE tunnels.

My questions are:

1. Will this work to ensure that the VPNs are only used in the event that the main WAN connectivity goes down and that the VPNs are not used when the main WAN connectivity comes back up?

2. If the floating routes are configured for the GRE tunnels, will this prevent the EIGRP protocol from using the GRE tunnels as part of its topology?

3. Should this be the other way around (meaning should I configure static routes for the main WAN links and EIGRP for the GRE tunnels?)

4. If I do configure it as mentioned in question 3, won't the static routes have to be manually re-added to the table when the WAN links come back up (as opposed to GRE tunnels which are always considered up so the static routes would never be removed from the table)?

The idea is to get the VPN backups to work transparently without any manual adjustments to the router config. Any thoughts would be greatly appreciated. Thank you.

 

[burtsbees]

Well, A VPN needs WAN connectivity from end to end before the tunnel even comes into play. Your floating static routes will come into play here. Your GRE tunnels are routed by means of being directly connected after the tunnels are established, so floating static routes will not work.

Your tunnels need the WAN in the first place, so if it fails, the tunnels cannot come up. If you have a second WAN, then use the WAN links with the floating static routes---the secondary links need to have the higher metric, so those would be the EIGRP routes. Then the main link would be a static route. These would be floating dynamic routes, not static. make sense?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[tNscheffer]

Actually, it doesn't make sense (to me anyway). The GRE tunnels are over the public internet and the main WAN links are over private dedicated links. My understanding has always been that the GRE tunnels are considered always up (regardless of whether or not they are actually communicating with the other end). You mentioned the secondary links need a higher metric. This is why I planned on using floating static routes (with a AD of 150 or higher) and configuring them as passive interfaces.

If you are saying that the main links should be regular static routes and the tunnels should be EIGRP, then this does make sense. Except from my understanding, if the main links go down then the static route is removed from the table and must be manually re-entered when it comes back up. This will not do.

I would appreciate any further explanation you can give. I may just be misunderstanding. Thanks for your help.