VPN Design

Unanswered Question
Jul 25th, 2010


Looking for input

Is it possible to have Two Tunnels from each Spoke to HeadQuarter(hub_site) with one tunnel Active and another tunnel inactive.

It would be GRE over IPSEC ( Eigrp or OSPF )

Spoke_1_Tunnel#1==============HQ_Hub1   ( Active Tunnel )
Spoke_1_Tunnel#2==============HQ_Hub2   ( Inactive Tunnel )

If Link at HQ for Hub#1 is down then Tunnel#2 becomes active and all traffic flows on this tunnel.

initial_design attached

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Sun, 07/25/2010 - 02:55


Yes, as long as it is 2 different routers at the Headquarters site it is quite possible for the spoke site to configure 2 IPSec/GRE tunnels running EIGRP or OSPF and to use one as primary and the other as a failover. I have configured this for a customer and it is working well.



saquib.tandel Sun, 07/25/2010 - 04:19

Hi Rick

What configuration I would need at HQ and branch to make tunnel 2 as failover ;

I couldnt find similar scenario on cisco sample config, Help with sample config

Sample configuration for (( SPOKE_))

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share

crypto isakmp key cisco address
crypto isakmp key cisco address

crypto ipsec transform-set Hub_1 esp-3des esp-md5-hmac
crypto ipsec transform-set Hub_2 esp-3des esp-md5-hmac

crypto map VPN2INT 10 ipsec-isakmp
set peer
set transform-set Hub_1
match address Hub1

crypto map VPN2INT 11 ipsec-isakmp
set peer
set transform-set Hub_2
match address Hub2

interface Tunnel1
ip address
  tunnel source FastEthernet0/1
tunnel destination

interface Tunnel2
ip address
  tunnel source FastEthernet0/1
tunnel destination

ip access-list extended Hub2
permit gre  host host

ip access-list extended Hub1
permit gre host host

int fa 0/1

ip address

crypto map VPN2INT

router eigrp 5
network      ((// connects to backbone switch ))

Latchum Naidu Mon, 07/26/2010 - 07:27


Are you planning to go for DMVPN's with EIGRP / OSPF protocol running?



saquib.tandel Mon, 07/26/2010 - 22:49


Not planning for DMVPN but would prefer to stay with GRE over IPSEC.

Rick any input

Richard Burts Tue, 07/27/2010 - 05:19


This config looks pretty good. I have a couple of comments about it:

- the default bandwidth of a GRE tunnel is quite low. this has potential to impact EIGRP. so I generally specify a bandwidth for the GRE tunnel.

- you specify 2 transform sets, but they specify the same transforms. so you only need a single transform set. the same set can be used for both peers.

- this configuration will run EIGRP over both tunnels and will treat them as equal cost paths and will load share (which is not necessarily a bad thing). But your original message described wanting to have a primary and a backup. To achieve this configure an offset list under EIGRP and add something to prefixes advertised over one of the tunnels to make it the backup tunnel (you can either do offset list in and out on the spoke or do offset list in (or out) on both the spoke and the head end routers.

What you need for the Headquarters head end router would be quite similar:

- a single isakmp policy

- a single isakmp key per remote site

- a transform set

- a crypto map instance per remote site

- a GRE tunnel per remote site

- an access list per remote site

- a single crypto map assigned to the interface

- make sure that the tunnel address matches a network statement under EIGRP




This Discussion