Adding a Second VPN Peer to Existing Tunnel

rkallas · ‎08-27-2012

We have a Cisco 3845 router for Site 2 Site VPN tunnels to external business partners. The IOS is (C3845-ADVIPSERVICESK9-M), Version 12.4(15)T8.

One of our partners is doing a DR test and needs to have us swing the VPN traffic to another peer in a test location temporarily. I plan on adding the test hosts to our existing encryption ACL, but instead of building another crypto map, I was wondering if I can add a secondary peer to the existing one? I've not been able to find any config data on this yet so I was hoping someone could confirm if this is a viable approach.

Thanks,

Ray

Jennifer Halim · ‎08-27-2012

Yes you can..

You can configure the following under the crypto map:

set peer

Karsten Iwen · ‎08-27-2012

As Jennifer told you, you can add a second peer. You can also set the keyword "default" to tell the router which peer should be the preferred one.

But it might be that it's not the right solution for your problem. If you have to change the crypto ACL, then it sounds like that behind peer1 are different IP-addresses reachable then behind peer2. If that is the case, then you should configure a second crypto-map sequence where both have their own crypto-ACL with the correct IP-definition.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

rkallas · ‎08-28-2012

Thanks Jennifer & Karsten,

Yes you are correct, this wouldn't be the best for a long term solution. The external partner is doing a DR test and has to bring up the VPN tunnel at another location as part of the test. I was just looking for an alternative to building a whole new crypto map. This may not be much of a time saver anyway since I'd have to add another crypto key statement for the new peer as well.

Thanks for the responses!

Ray