VPN failover question.

Unanswered Question
Mar 8th, 2007
User Badges:


Please bear with me as I am quite new to VPN's. I have an 837 ADSL router and would like to create two VPN tunnels back to different Juniper routers at the head office, with either vpn taking over if the other one fails. My questions,

1. Is this possible?

2. If it is then is there any sample configs anywhere

3. Will it be active/standby or can I load balance over the two VPN's

Thanks and Regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
kaachary Thu, 03/08/2007 - 06:12
User Badges:
  • Cisco Employee,

This is possible. Do you have two public ip address on the Router ?

If not, you can create a crypto map with two set peers statements.

The tunnel would be active/standby type thing, not load balanced.


a-robinson Thu, 03/08/2007 - 07:21
User Badges:

Hi Kanishka,

Thanks for the reply, we have two routers at the head office each with their own public IP address, both with the same crypto key. What I was thinking from your reply was to have two set peer statements in the crypto map with one being marked as the default and also two crypto key statements one for each peer ip? e.g

crypto ipsec key Pre-Shared-Secret address x.x.x.1

crypto ipsec key Pre-Shared-Secret address x.x.x.2

crypto map static-map 1 ipsec-isakmp

set peer x.x.x.1 default

set peer x.x.x.2

Am I along the right lines here? Also if the default VPN fails, is there any way for the router to automatically fail back to the default when it comes back on-line? Someone has mentioned DPD?

Thanks for your help.



kaachary Thu, 03/08/2007 - 08:14
User Badges:
  • Cisco Employee,

You'r absolutely right. Except for the fact that, in this case, the tunnel can be originated from this router only.

Isakmp keepalives, might help you, but they do not work with the Non Cisco devices. So, in this case the "default" keyword will help you.

*Please rate if this helped.


Kamal Malhotra Thu, 03/08/2007 - 06:59
User Badges:
  • Cisco Employee,

Hi Andy,

The requirement is : We need to have a tunnel with the other end that has 2 Juniper routers. At any given time the tunnel should be up with only one box. If one fails it should establish with the other.

If the is correct then it is possible. On your router, when you configure the crypto map, you will configure something like :

crypto map mymap 10 ipsec-isakmp

set peer a.b.c.d

set peer e.f.g.h

set transform-set my set

match address XXX

Where a.b.c.d is the IP of the primary Juniper router and e.f.g.h is of the secondary.


Please rate if it helps,



a-robinson Mon, 03/12/2007 - 09:35
User Badges:

Hi Kamal,Kanishka

We tried this over the weekend and had limited success. If we had a tunnel established and the primary went away, then the 837 would establish with the secondary tunnel but only after a router reset (837) Similarly, if the primary came back the only way to re-establish the tunnel with the primary was again a router (837) reset.

Is this just a function of the cisco 837 talking to Juniper's or have I missed something. I can supply the config we are using if required.

Thanks for your help so far, it is much appreciated.




This Discussion