Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
491
Views
0
Helpful
4
Replies

contingency VPN tunnel

Go to solution
edilson.silva1
Level 1
Level 1

‎05-29-2015 08:01 AM

Helo All

I am in this situation:

I have a VPN tunnel setup and running on a router 1800.
Our customer wants a identical contingency tunnel to this (with other IP Peer of course).

When the main vpn tunnel dropped the other will take over.

My question: I can set up a second peer that will take over when the first fall:

crypto map nome-crypto 240 ipsec-isakmp
 description VPN CLIENT
 set peer 201.94.151.141
 set peer 201.94.151.142
 set security-association lifetime seconds 86400
 set transform-set 3des-sha
 match address vpn_intlfcstone

or

have I to make another crypto map as follows (using the same access list) ?

 

crypto map nome-crypto 240 ipsec-isakmp
 description VPN CLIENT
 set peer 201.94.151.141 ---------------------------------------(main peer)
 set security-association lifetime seconds 86400
 set transform-set 3des-sha
 match address vpn_intlfcstone

 

crypto map nome-crypto 250 ipsec-isakmp
 description VPN CLIENT
 set peer 201.94.151.142 ---------------------------------------(second peer)
 set security-association lifetime seconds 86400
 set transform-set 3des-sha
 match address vpn_intlfcstone


Both VPN Tunnel must be on the same router (unfortunately) (1800).

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Andres Villarroel
Level 1
Level 1

‎05-29-2015 09:35 AM

Hello edilson.silva1,

You can set up a second peer IP for the backup VPN.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/xe-3s/asr1000/sec-vpn-availability-xe-3s-asr1000-book/sec-ipsec-pref-peer.html#GUID-527C42AE-44EC-4178-BBC3-B65189329B03

Creating a different sequence in the crypto map for the same traffic will generate an overlapping issue.

View solution in original post

0 Helpful

Go to solution
Andres Villarroel
Level 1
Level 1
In response to edilson.silva1

‎05-29-2015 11:35 AM

Hello Edilson,

 

Yes, you are right. You need to define the PSK for the second IP and the command "crypto isakmp key <password> Address <IPaddress>" will help you with it.

 

Kind regards,

 

PD.

If you found the information provided helpful, please, mark it as Correct Answer.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Andres Villarroel
Level 1
Level 1

‎05-29-2015 09:35 AM

Hello edilson.silva1,

You can set up a second peer IP for the backup VPN.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/xe-3s/asr1000/sec-vpn-availability-xe-3s-asr1000-book/sec-ipsec-pref-peer.html#GUID-527C42AE-44EC-4178-BBC3-B65189329B03

Creating a different sequence in the crypto map for the same traffic will generate an overlapping issue.

0 Helpful

Go to solution
edilson.silva1
Level 1
Level 1
In response to Andres Villarroel

‎05-29-2015 10:59 AM

Thanks a lot! Andres

 

One more thing: In addition to the command "set peer 201.94.151.141" I must also set this command

"crypto isakmp key <password> Address 201.94.151.141" to the secondary IP?

0 Helpful

Go to solution
Andres Villarroel
Level 1
Level 1
In response to edilson.silva1

‎05-29-2015 11:35 AM

Hello Edilson,

 

Yes, you are right. You need to define the PSK for the second IP and the command "crypto isakmp key <password> Address <IPaddress>" will help you with it.

 

Kind regards,

 

PD.

If you found the information provided helpful, please, mark it as Correct Answer.

0 Helpful

Go to solution
edilson.silva1
Level 1
Level 1
In response to Andres Villarroel

‎05-29-2015 11:56 AM

many thanks! man

Yes...I will do it :-)

0 Helpful
Customers Also Viewed These Support Documents