cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
860
Views
15
Helpful
6
Replies

VPN failover question.

a-robinson
Level 1
Level 1

Hi,

Please bear with me as I am quite new to VPN's. I have an 837 ADSL router and would like to create two VPN tunnels back to different Juniper routers at the head office, with either vpn taking over if the other one fails. My questions,

1. Is this possible?

2. If it is then is there any sample configs anywhere

3. Will it be active/standby or can I load balance over the two VPN's

Thanks and Regards

Andy.

6 Replies 6

kaachary
Cisco Employee
Cisco Employee

This is possible. Do you have two public ip address on the Router ?

If not, you can create a crypto map with two set peers statements.

The tunnel would be active/standby type thing, not load balanced.

-Kanishka

Hi Kanishka,

Thanks for the reply, we have two routers at the head office each with their own public IP address, both with the same crypto key. What I was thinking from your reply was to have two set peer statements in the crypto map with one being marked as the default and also two crypto key statements one for each peer ip? e.g

crypto ipsec key Pre-Shared-Secret address x.x.x.1

crypto ipsec key Pre-Shared-Secret address x.x.x.2

crypto map static-map 1 ipsec-isakmp

set peer x.x.x.1 default

set peer x.x.x.2

Am I along the right lines here? Also if the default VPN fails, is there any way for the router to automatically fail back to the default when it comes back on-line? Someone has mentioned DPD?

Thanks for your help.

Regards

Andy.

You'r absolutely right. Except for the fact that, in this case, the tunnel can be originated from this router only.

Isakmp keepalives, might help you, but they do not work with the Non Cisco devices. So, in this case the "default" keyword will help you.

*Please rate if this helped.

-Kanishka

Kamal Malhotra
Cisco Employee
Cisco Employee

Hi Andy,

The requirement is : We need to have a tunnel with the other end that has 2 Juniper routers. At any given time the tunnel should be up with only one box. If one fails it should establish with the other.

If the is correct then it is possible. On your router, when you configure the crypto map, you will configure something like :

crypto map mymap 10 ipsec-isakmp

set peer a.b.c.d

set peer e.f.g.h

set transform-set my set

match address XXX

Where a.b.c.d is the IP of the primary Juniper router and e.f.g.h is of the secondary.

HTH,

Please rate if it helps,

Regards,

Kamal

Hi Kamal,Kanishka

We tried this over the weekend and had limited success. If we had a tunnel established and the primary went away, then the 837 would establish with the secondary tunnel but only after a router reset (837) Similarly, if the primary came back the only way to re-establish the tunnel with the primary was again a router (837) reset.

Is this just a function of the cisco 837 talking to Juniper's or have I missed something. I can supply the config we are using if required.

Thanks for your help so far, it is much appreciated.

Regards

Andy.

Hi,

You might wanna go through this document :

http://cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00803f86ca.html#wp1066659

Even though Keepalives do not work with third part vendor devices, still you can try implementing it.

*Please rate if helped.

-Kanishka

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: