10-12-2023 09:37 AM
Looking for redundancy for our IPSEC VPN concentrator (8500) (one of its functions) and you can't configure IPSEC tunnels on a port-channel. I really don't like HSRP as when for many reasons, when one interface loses contact, it often conflicts with each other.
10-12-2023 09:40 AM
not that i am aware you can port-channel for IPSEC
by the what is the use case / challange you trying to solve here ?
10-12-2023 10:26 AM
This is an IPSEC tunnel between us and a partner. I want to setup the IPSEC with as much redundancy as possible. We are trying to achieve 5 9's but can settle with 4 9's but uptime is essential because we have production tied to the connectivity to the partner.
I have two 8500L's primarily as VPN concentrator's to achieve the above and I'm, again, looking to setup the optimal uptime solution. Having the connections on a port-channel to our Internet switch (in case one fiber goes down) would have been optimal and then only when both connections go down, would the backup 8500L takeover through IPSEC failover in which we give our partner the IP's to failover with.
10-12-2023 11:27 AM
If you can config tunnel and make tunnel source loopback
Then apply ipsec over this tunnel.
10-12-2023 09:44 AM
@red2play not enough information on your setup to provide a detailed response.
You should not be looking to implement a crypto map VPN design as crypto maps have been depreciated by Cisco on IOS-XE routers. You can implement a routed based VPN design using either FlexVPN and DMVPN, both support dual-hubs. Tunnels can be active/active or active/backup.
10-12-2023 12:01 PM
Can you Tie the FlexVPN Tunnel port to a Port-Channel?
10-13-2023 01:17 AM
Can you Tie the FlexVPN Tunnel port to a Port-Channel?
not that i am ware that works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide