Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
908
Views
5
Helpful
5
Replies

IPsec VPN redundancy

Go to solution
Kerk Chze Perng
Level 1
Level 1

‎11-25-2014 02:29 AM - edited ‎02-21-2020 07:57 PM

Hi guys,

 

I am just wondering if this can be done to build 2 VPN tunnels? If it can be done, how should I set one of it as primary and another one as backup?

 

Router RA
====================
crypto isakmp policy 1
 hash md5
 authentication pre-share
 group 2
crypto isakmp key test address 1.1.1.1


crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac
!
crypto map cm-cryptomap 5 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set cm-transformset-1
 match address 105
 
 

interface FastEthernet0/0/0
-- omitted --
 crypto map cm-cryptomap

interface FastEthernet0/0/1
-- omitted --
 crypto map cm-cryptomap

 
 
 
Router RB
====================
crypto isakmp policy 1
 hash md5
 authentication pre-share
 group 2
crypto isakmp key test address 2.2.2.2
crypto isakmp key test address 3.3.3.3


crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac
!
crypto map cm-cryptomap 2 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set cm-transformset-1
 match address 105
 
 crypto map cm-cryptomap 3 ipsec-isakmp
 set peer 3.3.3.3
 set transform-set cm-transformset-1
 match address 105
 
 interface FastEthernet0/0/0
-- omitted --
 crypto map cm-cryptomap

 

 

 

Regards,
Kerk

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎11-25-2014 02:50 AM

When using the legacy config with crypto-maps, you have to use one crypto-map sequence and specify two peers there. Two sequences as in your config are only used if different networks need to be reached through VPN. The config will be:

crypto map cm-cryptomap 2 ipsec-isakmp
 set peer 2.2.2.2
 set peer 3.3.3.3
 set transform-set cm-transformset-1
 match address 105

 

A better solution would be to migrate to Virtual Tunnel Interfaces (VTI). With these you have a logical IPSec-Interface between your routers and you can run a routing-protocol to control which tunnel to use.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Karsten Iwen
VIP
VIP

‎11-25-2014 02:50 AM

When using the legacy config with crypto-maps, you have to use one crypto-map sequence and specify two peers there. Two sequences as in your config are only used if different networks need to be reached through VPN. The config will be:

crypto map cm-cryptomap 2 ipsec-isakmp
 set peer 2.2.2.2
 set peer 3.3.3.3
 set transform-set cm-transformset-1
 match address 105

 

A better solution would be to migrate to Virtual Tunnel Interfaces (VTI). With these you have a logical IPSec-Interface between your routers and you can run a routing-protocol to control which tunnel to use.

0 Helpful

Go to solution
Kerk Chze Perng
Level 1
Level 1
In response to Karsten Iwen

‎11-25-2014 04:16 AM

This is such a great info. Thanks Iwen.

0 Helpful

Go to solution
Kerk Chze Perng
Level 1
Level 1
In response to Kerk Chze Perng

‎11-25-2014 11:52 PM

Hi Iwen,

 

Hmm... for this config, there will be 2 tunnels formed for 1 network right? But how is the load sharing/ prioritization be done?

crypto map cm-cryptomap 2 ipsec-isakmp
 set peer 2.2.2.2
 set peer 3.3.3.3
 set transform-set cm-transformset-1
 match address 105
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Kerk Chze Perng

‎11-26-2014 12:12 AM

Depending on your environment, there can be two tunnels at the same time. But there is no load-balancing. 

  1. You can add the key "default" to one of the peers, then this peer will be the default one and is always the one the router prefers.
  2. With two internet-connections, the routing controls where the traffic will be sent out. If the peer only has one public IP, this IP will only be reached through one of your public interfaces based on your default-route.
  3. If there are two tunnels to the same network active at the same time, the router will  send outgoing traffic through the tunnel that had the last incoming packet.
  4. For best redundancy and ease of operation, The site with the two internet-links could be equipped with two routers, one for each link. With that you can point half of your branches to the first routers and the other half to the second router.

Go to solution
Kerk Chze Perng
Level 1
Level 1
In response to Karsten Iwen

‎11-26-2014 07:38 AM

Thanks for your guidance Iwen. :)
By the way, say if I use IP SLA with route tracking (pinging public DNS from router RA sourcing the WAN interfaces), and set the cost for default route to 2.2.2.2/29 to be lower. On the other end, set the router RB cryto map peer 2.2.2.2 default. Does this means the tunnel formed between 3.3.3.3/29-1.1.1.1/29 will stay idle until WAN 2.2.2.2/29 cannot ping public DNS, and 3.3.3.3/29 will take over to route the traffic?

Thanks first.

0 Helpful
Customers Also Viewed These Support Documents