Hi ,You can configure back

Diego Maciel Gomes · ‎06-17-2014

Hello all!

I want to know how to make a VPN disable.

I have a VPN configured and working fine. But, I needed to create a second VPN for the same company, just for backup, so, in that case, I have a different peer.

That backup VPN, I want to configure it, but, Im looking for a way to make it disable. For example, we can disable an ACL, we can disable a NAT... How to disable a VPN?

The idea is, when I need to make backup works, I just make it Enable, something like this.

Thanks,

Diego

Marvin Rhoads · ‎06-17-2014

You can just add a secondary peer address if all other parameters are the same. That way when the primary goes down, the VPN will automatically establish to the secondary with no manual intervention required. Something like:

crypto map VPNMAP 10 set peer 1.1.1.1 2.2.2.2

You will also need to have a tunnel-group for each peer with the same PSK set.

Diego Maciel Gomes · ‎06-17-2014

Hi Marvin, thanks for help too!

I did not know about a secondary peer. I will insert the secondary in the respective crypto map. I will take a look about the tunnel-group!

But, if the protected traffic is different in the remote network, I cannot use it? Because in the Production the remote network is X and in the backup VPN, the remote network is Y.. so they are differents.

nkarthikeyan · ‎06-17-2014

Hi Deigo,

You can refer the below mentioned post for the Site to site dual vpn.

http://networkology.net/2013/03/08/site-to-site-vpn-with-dual-isp-for-backup-redundancy/

HTH

Regards

Karthik

Marvin Rhoads · ‎06-18-2014

You're welcome.

If there are different subnets on each, you can't use it without some changes.

What you could do is just make the single access list / cryptomap include both sets of subnets. Whether or not that would suit would depend on how the applications and systems that use the network fail over.

nkarthikeyan · ‎06-17-2014

Hi ,

You can configure back VPN as suggested by Marvin. But for making the primary down you clear the vpn peer and do test once you have the backup tunnel ready.

Regards

Karthik

Diego Maciel Gomes · ‎06-17-2014

Hi nkarthikeyan,

Thanks for help! I will try it and test!

bobbythomas · ‎06-18-2014

Hi Diego,

I had a similar requirement and I was able to sort it out with some help, just go through this thread and let me know whether it helps...

https://supportforums.cisco.com/discussion/12219291/multiple-site-site-vpns-same-intersting-traffic-ha-vpn

Regards,

Bobby Thomas

Diego Maciel Gomes · ‎06-20-2014

Thanks guys!

With your help, I did a plan for it and I will test it next weekend!

I will post it on Monday!!

Thanks one more time!

Diego

Diego Maciel Gomes · ‎06-22-2014

Hello Guys!

I configured the new tunnel, with the same PSK.

I edited the crypto map and inserted the new Peer Bkp.

I noticed that a new Connection Profile was created... so I entered to check and when I try to change inside the options, just to check, I received some messages that follow attached... Is it normal???

I changed the IPs for "Peer Prod" and "Peer Bkp" just for security.

The same message appears when I try to edit the Peer Prod Connection Profile as well.

Thanks!

Diego

how to disable a VPN tunnel - Site-to-Site