02-28-2014 02:15 AM - edited 02-21-2020 07:32 PM
Hi all,
I have a customer connected to my company with a site to site ipsec vpn tunnel. This customer wants to have a second router that works as backup in case that the first router fails.
I'm working with ipsec VRF-aware and I have configured a profile for this customer and I want to configure both peers in the same crypto map.
My questions are:
1. Is it possible to configure in the crypto isakmp profile two"match identity address" for two different peers ?
2. Is it possible to configure in the crypto keyring two two " pre-shared-key address" for two different peers ? can I use the same pre-shared keys for both ?
3. If a configure "set peer 1.1.1.1 default" and this peer fails, the connection will be established with the second peer. What happens if the default peer is available again ? Does the vpn tunnel remain by 1.1.1.2 or the vpn tunnel will be closed and the start a new connection to the default peer ?
4. What happens if the peers are configured without" default" ? first peer fails, than the connection will be established with the second one and if the second one fails the connection will be stablished with the first one and so on ?
This is my configuration
ip vrf customer
rd 5:5
route-target export 5:5
route-target import 5:5
crypto map mymap 90 ipsec-isakmp
set peer 1.1.1.1
set peer 1.1.1.2
set transform-set tset_3des-sha
set isakmp-profile isakmp_ABC
match address acl_ABC
crypto isakmp profile isakmp_ABC
vrf customer
keyring kring_ABC
self-identity address
match identity address 1.1.1.1 255.255.255.255
match identity address 1.1.1.2 255.255.255.255 -> is it possible to configure ???
keepalive 10 retry 2
crypto keyring kring_ABC
pre-shared-key address 1.1.1.1 key cisco
pre-shared-key address 1.1.1.2 key cisco-> is it possible to configure?
crypto map mymap 90 ipsec-isakmp
Thanks in advance for your help !
02-28-2014 04:51 AM
The answer to most quesions is "yes, it's possible and it will/shoul work".
For "set peer" behavior. We do not support preemtpion in IPsec (AFAIU).
Have a look at:
03-06-2014 12:57 AM
Hi,
Great !! Thanks for your answer. It works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide