ADTRAN Internet-Based WAN Backup manual 61200890L1-29.4A Copyright 2005 ADTRAN, Inc

Solution 3 - Primary = ISP via PPPoE/DSL-Cable, Alternate = ISP via Dial-up

In this scenario (see Figure 3), the remote site has two ISP accounts, one via PPPoE using a DSL or cable modem and another via dial-up. Both are protected by the NetVanta firewall. This PPPoE connection is always on and is used for local Internet access (if the corporate security policy allows such connectivity) as well as being used as the primary path to the central site. The central site has a protected Internet connection and an IPSec VPN gateway for Internet-based access to the central site network. The remote site uses IPSec VPN to connect to the central VPN gateway over its PPPoE interface as a primary. Should the PPPoE link fail, a dial-up connection is invoked to a local ISP. Another IPSec VPN connection is negotiated across the Internet to the central site VPN gateway, re-establishing connectivity between the two sites.

If the remote router accesses the central VPN gateway on the same IP address no matter which remote router interface is active, it is important that both devices support IKE dead peer detection. Otherwise, when the remote site switches to the other interface, the IPSec and/or IKE SA (depending on the exact configuration) have to age out naturally before a new VPN connection is established. Dead peer detection expedites this process, allowing the alternate VPN connection to be established more quickly.

Note that this configuration is shown using the NetVanta DIM Carrier Module (1200877L1), which allows the dial backup interface module (DIM) to be used without a network interface module (NIM) installed.

10.254.255.26/28

10.254.255.85/28

10.1.1.240/24

172.31.4.0/24

Figure 3. Primary WAN Connectivity via IPsec VPN over PPPoE/DSL-Cable ISP Connection, Backup

Connectivity via IPsec VPN Dialup ISP Connection

Remote NetVanta Router Configuration:

!

hostname "NV_Remote"

!

ip routing

!

ip firewall

!

!