10-28-2013 01:39 PM - edited 02-21-2020 07:16 PM
Hello,
I have 2 routers connected to the same LAN and with a WAN interface connected to INTERNET. On this 2 routers i want to terminate an IPSEC tunnel on each one from a remote office, for redundancy. In case a router fails for various reason the second IPSEC tunnel I want to be functional and handle the traffic.
What are my options ? How I can each this functionality? I have made a lot of search on google but nothing concludent.
Thank you for your answers!
10-28-2013 02:05 PM
Hi Catalin,
Thanks for your question.
Most easiest solution for your application is IP-SLA with object tracking.
From your remote office, you establish as normal IP-Sec tunnel to both routers, however the second tunnel to remote office will kick in, only when IP-SLA object tracking fails.
Please go through this thread below and if you have any question, please feel free to ask.
https://supportforums.cisco.com/thread/2034251
thanks
Rizwan Rafeek.
10-28-2013 02:12 PM
Hi Catalin,
At the remote office you need to put both the WAN ip of the routers in you peer address and enable keeplives. If tunnel to one of the peer fails it will automatically swtich over to the second ip.
Since they both share same LAN, internal routing could become an issue, for that i would suggest to implement HSRP with interface tracking so that your routers can make routing changes between them as per the situation.
Regards,
~Harry
10-28-2013 03:28 PM
Hi,
Can you share an exemple please?
10-29-2013 01:32 AM
I would address the problem completely different then the other commenters in this thread. Of course native IPSec has all the tools to provide redundancy on it's own. But if you switch from crypto-map-based VPNs to virtual tunnel interfaces (VTI) you can build one tunnel from your remote to the each Hub-router. By running a routing-protocol in the tunnel you use that functionality to determine which path is available. That's much more comfortable and easier then using the native IPsec-tools.
Sent from Cisco Technical Support iPad App
10-29-2013 02:33 PM
Ok, but what i need is standard ipsec redundancy because i want to agregate on 2 routers (HQ) VPNs with diffrent partners, so I can not impose the type of IPSEC VPN. It should be a common one, which everyone uses nowadays.
thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide