Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2138
Views
0
Helpful
3
Replies

Redundant IPSEC VPN in Site-2-site

Go to solution
datags-sa
Level 1
Level 1

‎02-05-2019 04:52 PM - edited ‎03-05-2019 11:14 AM

Hi. I have a scenario with 2 x 4331 routers. Currently they are connected to ISP and have an IPSEC VPN tunnel working between them. R1 resides in a data center R2 resides in the branch office. Now we have purchased a WIC for R2 and configured a redundant path via another ISP. I need now to be able to re-establish the VPN to R1 via the WIC should the primary line go down. I am comfortable with how to achieve this in R2 using another crypto map on the 2nd interface, and using an SLA monitor  to make this the active route when primary goes down.

 

However, I cannot figure out what needs to be done at R1 as it only has a single WAN interface. I can add the new R2 WAN IP peer into the crypto map, but am confused as to how this becomes active as the match address access list will have the same R2 LAN IP range as the original peer map setting. Of course I cannot add another crypto map to the outgoing interface.

 

 I should add that R1 also connects to 3 other remote site IPSCEC VPN's

 

Can anyone shed any light on this?

The attached generic diagram merely illustrates my topology, ignore any references on it.

Labels:
Preview file
36 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎02-05-2019 07:25 PM

Hi

On your router crypto map you can set 2 peers and define 1 as default.
Here a documentation that can help you:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/15-mt/sec-vpn-availability-15-mt-book/sec-ipsec-pref-peer.pdf

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎02-05-2019 07:25 PM

Hi

On your router crypto map you can set 2 peers and define 1 as default.
Here a documentation that can help you:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/15-mt/sec-vpn-availability-15-mt-book/sec-ipsec-pref-peer.pdf

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
datags-sa
Level 1
Level 1
In response to Francesco Molino

‎02-06-2019 02:25 PM

Thanks Francesco, that's quite simple!
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to datags-sa

‎02-06-2019 08:36 PM

You're welcome and yes this is straight forward.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card