Router based S2S VPN

Unanswered Question
Mar 30th, 2009
User Badges:

Hi All,

Please let me know how can we configure S2S to two different VPN peers from the same router and the source and destination encryption domain is also the same. Only difference is Peer IPs.

This is actually for DR.

Thanks in Advance.


Suresh Kumar

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.5 (2 ratings)
Ivan Martinon Tue, 03/31/2009 - 10:52
User Badges:
  • Cisco Employee,

You can't configure this, if you define same source and destination for both tunnels with the router will always use the crypto that matches first on the vpn parsing, meaning the crypto map with the lower sequence number.

Sureshdank Tue, 03/31/2009 - 21:53
User Badges:

Hi Martino,

Thanks for the info. But is there any other way to this. The main aim is if S2S tunnel goes down the traffic should flow through alternate one which is to different peer IP.


Suresh Kumar

Ivan Martinon Wed, 04/01/2009 - 07:47
User Badges:
  • Cisco Employee,

In your situation, you can use GRE/IPSEC tunnel on both tunnels and let dynamic routing handle the failover situation, having 2 different peers, both having same network behind, you can easily define a gre/ipsec tunnel to redistribute via OSPF or eigrp or any Routing protocol you need, the same network, and make the failover condition to happen by setting a preferred path.

Sureshdank Tue, 04/07/2009 - 23:43
User Badges:

do you have any sample configuration for the above solution.

Jon Marshall Wed, 04/01/2009 - 11:28
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


An alternative to Ivan's approach is that you can specify multiple peers in the same crypto map entry so if the first peer goes down the second will be used. Basically the first peer to respond will be used -


Ivan Martinon Wed, 04/01/2009 - 11:44
User Badges:
  • Cisco Employee,

This however causes a bit of downtime, unlike GRE :)

Sureshdank Wed, 04/08/2009 - 23:39
User Badges:

When we configure multiple Peer ips

if the first peer is not reachable then it will take second peer IP and establish the S2S VPN.

Whether is there any way where in we can configure auto rollback to first peer ip.


This Discussion