Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
867
Views
0
Helpful
2
Replies

Keep few site-site IPSEC VPN tunnels inactive

Imran Ahmad
Level 2
Level 2

‎01-08-2014 06:10 AM - edited ‎02-21-2020 07:26 PM

Hello,

I have 50 active site-to-site ipsec tunnels.  I want to keep 3 of the established tunnels Inactive due to some reasons. and I want to be able to activate those 3-tunnels while required.

i want to know is it possible to do such ?  please advise me

Thanks       

Labels:
0 Helpful
2 Replies 2

Collin Clark
VIP Alumni
VIP Alumni

‎01-08-2014 08:30 AM

There is no "inactive" for VPN, so what I usually do is remove the peer from the crypto map.

Hope it helps.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni

‎01-08-2014 12:37 PM

Hi,

I would probably personally use the above suggested way.

I am not sure why you would want to do what you describe.

I guess if you wanted other options you could consider some of the following options

  • VPN Filter / interface ACL
    • With this option you could stop traffic from leaving from your network to the L2L VPN connection or traffic coming from the L2L VPN from going through your firewall. Naturally this would not help much if you option was to keep the VPN connection itself down completely
  • Time Based ACL
    • You could probably use ACL statements that use a time range if your aim was to control traffic flow during some hours of the day. I have not used these type of ACLs that much myself so I am not sure if they are convinient in your setup.

I was also wondering if setting the L2L VPN connection in the "crypto map" configurations as "originate-only" would give you any options of keeping the L2L VPN down until you want to bring it up. Again a command that I have not had to use myself.

I guess how you should do this depends on the actual situation and reason you are wanting to do this.

The above suggested way is very simple. Though you should backup your "crypto map" configurations before removing anything so you can keep a track where you need to add the peer IP again when you want it working.

If the VPN can be up but you want to limit traffic then an ACL statement that you would activate and make inactive might also be a solution.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents