WAN link failover to VPN

[randyb]

Hi all:
I am wondering how to go about implementing VPN failover for remote office T-1 links. We have an IP350 cluster at HQ with several networks behind multiple interfaces. The remote offices aggregate behind one of the interfaces and are connected via T1 WAN links. We have been deploying SofaWare Safe@ Office devices to the remote offices to take the Internet traffic off of the T1 links, and now management wants to make the circuits redundant by configuring the endpoints to fail over to the VPN if the serial goes down. I know both ends can do OSPF and/or route-based VPNs, I would just like some direction on how to move forward. Has anyone done this before?

Thanks!
Randy B

[mcnallym]

Bad news. You cannot Route base VPN between Sofaware/Edge boxes and Nokia's. You can do route based VPN's between Sofaware/Edge and SPLAT boxes, and SPLAT boxes and Nokia, but not Nokia to Sofaware/Edge.

The other peice of info that is relevant is that if you have a VPN between two points then it will automatically route via the VPN even if routing costs are set so that the lease line is a lower cost. You would need to have a router in front of the firewall boxes to make the routing decision, wether to goto the firewall or go via a lease line.

Your remote offices would then need to be plugged into routers that don't go via the Nokia's to get to the internal main office networks.

Also please note that the Safe@500 boxes need the Power Pack upgrade to be able to do the OSPF routing.