08-30-2010 01:58 AM
Hi,
I have a Cisco 2851 (c2800nm-advipservicesk9-mz.124-25d.bin) Router configured with one site-to-site vpn. Is it possible to configure a failover vpn tunnel on this router?
09-02-2010 11:57 PM
Hi.
Its possible to do failover for VPN. What is your requirement? Do you have redundent internet link? I have been working for VPN failover for more than 100 branches to HQ.
09-03-2010 12:19 AM
YES i have 2 ISP. VPN is configured with ISP-1 & ISP-2 is just lying idle. So wanted to make use of that for vpn failover. Please let me know the configuration for the same.
09-03-2010 12:24 AM
Hi ,
There is nothing much need to configure in VPN. Create ISAKMP policy, tranform set, crypto map and apply to backup ISP interface.
Now the trick is play around at default routing.
Can u provide me your default routing config for both ISP?
04-16-2011 08:32 AM
Dear all,
I would like to continues to ask about this question that VPN failover configuration, so i would like to know how to configure VPN fail over config, At HQ i have one router and two connection(2Wan) and branches i have one router and two connection too (2Wan) and i can to to failover VPN over ipsec, So i all of you have commant on this please help to show me?
Best Regards,
Rechard
04-16-2011 12:15 PM
Anyone preparing for the CCIE Security lab knows that this is a very simple configuration. The key here is the "crypto map vpn local-address lo0" and that the loopback lo0 ip address must be reachable from both sides for the VPN to be established. Configuration is below:
HQ:
interface g0/0/0
ip address 1.1.1.1 255.255.255.0
crypto map vpn
interface g0/0/1
ip address 1.1.2.1 255.255.255.0
crypto map vpn
interface lo0
ip address 1.1.3.1 255.255.255.0
crypto map vpn
ip address g0/0/2
ip address 192.168.1.1 255.255.255.0
ip access-list extended branch_1
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
crypto isakmp key cciesec2011 address 2.2.3.1 no-xauth
crypto iskakmp policy 10
authen pre
hash sha
encr aes 256
group 5
life 86400
crypto ipsec trans tset esp-aes 256 esp-sha-hmac
crypto map vpn local-address lo0
crypto map vpn 10 ipsec-isakmp
set peer 2.2.3.1
set trans tset
set pfs group5
set security life sec 3600
match add branch_1
branch_1:
interface g0/0/0
ip address 2.2.1.1 255.255.255.0
crypto map vpn
interface g0/0/1
ip address 2.2.2.1 255.255.255.0
crypto map vpn
interface lo0
ip address 2.2.3.1 255.255.255.0
crypto map vpn
ip address g0/0/2
ip address 192.168.2.1 255.255.255.0
ip access-list extended HQ
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto isakmp key cciesec2011 address 1.1.3.1 no-xauth
crypto iskakmp policy 10
authen pre
hash sha
encr aes 256
group 5
life 86400
crypto ipsec trans tset esp-aes 256 esp-sha-hmac
crypto map vpn local-address lo0
crypto map vpn 10 ipsec-isakmp
set peer 1.1.3.1
set trans tset
set pfs group5
set security life sec 3600
match add HQ
04-16-2011 06:02 PM
Dera Sir,
I'm glad to see you advice and your command,
I would like to show my diagram and i would like to do on my diagram, Could you advice if possible if i do interface lo0? If have any many branches do i use interface lo0?and you let me me know why we use interface lo0 i not clear about this command ?
Best Regards,
Rechard
04-16-2011 06:03 PM
Dera Sir,
I'm glad to see you advice and your command,
I would like to show my diagram and i would like to do on my diagram, Could you advice if possible if i do interface lo0? If have any many branches do i use interface lo0?and you let me me know why we use interface lo0 i not clear about this command ?
Best Regards,
Rechard
06-06-2011 05:44 AM
Dear All,
Do you have any update on this ?
it very urgent!!! please help !!!
Best Regards,
Rechard
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide