Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1050
Views
15
Helpful
6
Replies

VPN failover question.

a-robinson
Level 1
Level 1

‎03-08-2007 05:37 AM - edited ‎02-21-2020 02:54 PM

Hi,

Please bear with me as I am quite new to VPN's. I have an 837 ADSL router and would like to create two VPN tunnels back to different Juniper routers at the head office, with either vpn taking over if the other one fails. My questions,

1. Is this possible?

2. If it is then is there any sample configs anywhere

3. Will it be active/standby or can I load balance over the two VPN's

Thanks and Regards

Andy.

Labels:
0 Helpful
6 Replies 6

kaachary
Cisco Employee
Cisco Employee

‎03-08-2007 06:12 AM

This is possible. Do you have two public ip address on the Router ?

If not, you can create a crypto map with two set peers statements.

The tunnel would be active/standby type thing, not load balanced.

-Kanishka

a-robinson
Level 1
Level 1
In response to kaachary

‎03-08-2007 07:21 AM

Hi Kanishka,

Thanks for the reply, we have two routers at the head office each with their own public IP address, both with the same crypto key. What I was thinking from your reply was to have two set peer statements in the crypto map with one being marked as the default and also two crypto key statements one for each peer ip? e.g

crypto ipsec key Pre-Shared-Secret address x.x.x.1

crypto ipsec key Pre-Shared-Secret address x.x.x.2

crypto map static-map 1 ipsec-isakmp

set peer x.x.x.1 default

set peer x.x.x.2

Am I along the right lines here? Also if the default VPN fails, is there any way for the router to automatically fail back to the default when it comes back on-line? Someone has mentioned DPD?

Thanks for your help.

Regards

Andy.

0 Helpful

kaachary
Cisco Employee
Cisco Employee
In response to a-robinson

‎03-08-2007 08:14 AM

You'r absolutely right. Except for the fact that, in this case, the tunnel can be originated from this router only.

Isakmp keepalives, might help you, but they do not work with the Non Cisco devices. So, in this case the "default" keyword will help you.

*Please rate if this helped.

-Kanishka

Kamal Malhotra
Cisco Employee
Cisco Employee

‎03-08-2007 06:59 AM

Hi Andy,

The requirement is : We need to have a tunnel with the other end that has 2 Juniper routers. At any given time the tunnel should be up with only one box. If one fails it should establish with the other.

If the is correct then it is possible. On your router, when you configure the crypto map, you will configure something like :

crypto map mymap 10 ipsec-isakmp

set peer a.b.c.d

set peer e.f.g.h

set transform-set my set

match address XXX

Where a.b.c.d is the IP of the primary Juniper router and e.f.g.h is of the secondary.

HTH,

Please rate if it helps,

Regards,

Kamal

a-robinson
Level 1
Level 1
In response to Kamal Malhotra

‎03-12-2007 09:35 AM

Hi Kamal,Kanishka

We tried this over the weekend and had limited success. If we had a tunnel established and the primary went away, then the 837 would establish with the secondary tunnel but only after a router reset (837) Similarly, if the primary came back the only way to re-establish the tunnel with the primary was again a router (837) reset.

Is this just a function of the cisco 837 talking to Juniper's or have I missed something. I can supply the config we are using if required.

Thanks for your help so far, it is much appreciated.

Regards

Andy.

0 Helpful

kaachary
Cisco Employee
Cisco Employee
In response to a-robinson

‎03-12-2007 09:50 AM

Hi,

You might wanna go through this document :

http://cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00803f86ca.html#wp1066659

Even though Keepalives do not work with third part vendor devices, still you can try implementing it.

*Please rate if helped.

-Kanishka

0 Helpful
Customers Also Viewed These Support Documents