Showing results for 
Search instead for 
Did you mean: 

IPSEC VPN High-Availability on Single Router

Level 1
Level 1

Hey All,


I have seen that you are unable to apply a Crypto-Map to a Tunnel interface or Port-Channel, so I am looking for alternative solutions.  I have a single router terminating IKEv2 tunnels with 1 Public / 1 Private Interface.  I am looking to find a redundant solution where I can use 2 Public / 2 Private.  We are running an ACI environment and when I preform switch upgrades I am rebooting odd/even switches.  When I reboot the switch with the single Public interface I loose my site-to-site VPNs.  I am hoping to find a solution were the VPN traffic remains connected but uses the second link.


I have many tunnels from different Vendors terminating to this cisco router and I am not able to have a secondary IP address as a failover IP. 


Thanks for your input.

1 Reply 1

config loopback 

config crypto map 

local-address is loopback 

apply this crypto under each public interface you get.

this give you one IPSec SA with dual outgoing interface.