I want to know how to make a VPN disable.
I have a VPN configured and working fine. But, I needed to create a second VPN for the same company, just for backup, so, in that case, I have a different peer.
That backup VPN, I want to configure it, but, Im looking for a way to make it disable. For example, we can disable an ACL, we can disable a NAT... How to disable a VPN?
The idea is, when I need to make backup works, I just make it Enable, something like this.
You can just add a secondary peer address if all other parameters are the same. That way when the primary goes down, the VPN will automatically establish to the secondary with no manual intervention required. Something like:
crypto map VPNMAP 10 set peer 220.127.116.11 18.104.22.168
You will also need to have a tunnel-group for each peer with the same PSK set.
Hi Marvin, thanks for help too!
I did not know about a secondary peer. I will insert the secondary in the respective crypto map. I will take a look about the tunnel-group!
But, if the protected traffic is different in the remote network, I cannot use it? Because in the Production the remote network is X and in the backup VPN, the remote network is Y.. so they are differents.
You can refer the below mentioned post for the Site to site dual vpn.
If there are different subnets on each, you can't use it without some changes.
What you could do is just make the single access list / cryptomap include both sets of subnets. Whether or not that would suit would depend on how the applications and systems that use the network fail over.
You can configure back VPN as suggested by Marvin. But for making the primary down you clear the vpn peer and do test once you have the backup tunnel ready.
I had a similar requirement and I was able to sort it out with some help, just go through this thread and let me know whether it helps...
I configured the new tunnel, with the same PSK.
I edited the crypto map and inserted the new Peer Bkp.
I noticed that a new Connection Profile was created... so I entered to check and when I try to change inside the options, just to check, I received some messages that follow attached... Is it normal???
I changed the IPs for "Peer Prod" and "Peer Bkp" just for security.
The same message appears when I try to edit the Peer Prod Connection Profile as well.