Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
865
Views
0
Helpful
6
Replies

% NOTE: crypto map is configured on tunnel or port-channel interface.

red2play
Level 1
Level 1

‎10-12-2023 09:37 AM

Looking for redundancy for our IPSEC VPN concentrator (8500) (one of its functions) and you can't configure IPSEC tunnels on a port-channel.  I really don't like HSRP as when for many reasons, when one interface loses contact, it often conflicts with each other.  

Labels:
0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎10-12-2023 09:40 AM

not that i am aware you can port-channel for IPSEC

by the what is the use case / challange you trying to solve here ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

red2play
Level 1
Level 1
In response to balaji.bandi

‎10-12-2023 10:26 AM

This is an IPSEC tunnel between us and a partner.  I want to setup the IPSEC with as much redundancy as possible. We are trying to achieve 5 9's but can settle with 4 9's but uptime is essential because we have production tied to the connectivity to the partner.

 

I have two 8500L's primarily as VPN concentrator's to achieve the above and I'm, again, looking to setup the optimal uptime solution.  Having the connections on a port-channel to our Internet switch (in case one fiber goes down) would have been optimal and then only when both connections go down, would the backup 8500L takeover through IPSEC failover in which we give our partner the IP's to failover with.

0 Helpful

MHM Cisco World
VIP
VIP
In response to red2play

‎10-12-2023 11:27 AM

If you can config tunnel and make tunnel source loopback 

Then apply ipsec over this tunnel.

0 Helpful

Rob Ingram
VIP
VIP

‎10-12-2023 09:44 AM

@red2play not enough information on your setup to provide a detailed response.

You should not be looking to implement a crypto map VPN design as crypto maps have been depreciated by Cisco on IOS-XE routers. You can implement a routed based VPN design using either FlexVPN and DMVPN, both support dual-hubs. Tunnels can be active/active or active/backup.

0 Helpful

red2play
Level 1
Level 1
In response to Rob Ingram

‎10-12-2023 12:01 PM

Can you Tie the FlexVPN Tunnel port to a Port-Channel?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to red2play

‎10-13-2023 01:17 AM 

Can you Tie the FlexVPN Tunnel port to a Port-Channel?

not that i am ware that works.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents