VPN failover configuration in Cisco 2851

Anand Narayana · ‎08-30-2010

Hi,

I have a Cisco 2851 (c2800nm-advipservicesk9-mz.124-25d.bin) Router configured with one site-to-site vpn. Is it possible to configure a failover vpn tunnel on this router?

NAGISWAREN2 · ‎09-02-2010

Hi.

Its possible to do failover for VPN. What is your requirement? Do you have redundent internet link? I have been working for VPN failover for more than 100 branches to HQ.

Regards, Nagis

Anand Narayana · ‎09-03-2010

YES i have 2 ISP. VPN is configured with ISP-1 & ISP-2 is just lying idle. So wanted to make use of that for vpn failover. Please let me know the configuration for the same.

NAGISWAREN2 · ‎09-03-2010

Hi ,

There is nothing much need to configure in VPN. Create ISAKMP policy, tranform set, crypto map and apply to backup ISP interface.

Now the trick is play around at default routing.

Can u provide me your default routing config for both ISP?

Regards, Nagis

rechard_david · ‎04-16-2011

Dear all,

I would like to continues to ask about this question that VPN failover configuration, so i would like to know how to configure VPN fail over config, At HQ i have one router and two connection(2Wan) and branches i have one router and two connection too (2Wan) and i can to to failover VPN over ipsec, So i all of you have commant on this please help to show me?

Best Regards,

Rechard

cciesec2011 · ‎04-16-2011

Anyone preparing for the CCIE Security lab knows that this is a very simple configuration. The key here is the "crypto map vpn local-address lo0" and that the loopback lo0 ip address must be reachable from both sides for the VPN to be established. Configuration is below:

HQ:

interface g0/0/0
ip address 1.1.1.1 255.255.255.0
crypto map vpn

interface g0/0/1
ip address 1.1.2.1 255.255.255.0
crypto map vpn

interface lo0
ip address 1.1.3.1 255.255.255.0
crypto map vpn

ip address g0/0/2
ip address 192.168.1.1 255.255.255.0

ip access-list extended branch_1
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

crypto isakmp key cciesec2011 address 2.2.3.1 no-xauth

crypto iskakmp policy 10
authen pre
hash sha
encr aes 256
group 5
life 86400

crypto ipsec trans tset esp-aes 256 esp-sha-hmac

crypto map vpn local-address lo0
crypto map vpn 10 ipsec-isakmp
set peer 2.2.3.1
set trans tset
set pfs group5
set security life sec 3600
match add branch_1

branch_1:

interface g0/0/0
ip address 2.2.1.1 255.255.255.0
crypto map vpn

interface g0/0/1
ip address 2.2.2.1 255.255.255.0
crypto map vpn

interface lo0
ip address 2.2.3.1 255.255.255.0
crypto map vpn

ip address g0/0/2
ip address 192.168.2.1 255.255.255.0

ip access-list extended HQ
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

crypto isakmp key cciesec2011 address 1.1.3.1 no-xauth

crypto iskakmp policy 10
authen pre
hash sha
encr aes 256
group 5
life 86400

crypto ipsec trans tset esp-aes 256 esp-sha-hmac

crypto map vpn local-address lo0
crypto map vpn 10 ipsec-isakmp
set peer 1.1.3.1
set trans tset
set pfs group5
set security life sec 3600
match add HQ

rechard_david · ‎04-16-2011

Dera Sir,

I'm glad to see you advice and your command,

I would like to show my diagram and i would like to do on my diagram, Could you advice if possible if i do interface lo0? If have any many branches do i use interface lo0?and you let me me know why we use interface lo0 i not clear about this command ?

Best Regards,

Rechard

rechard_david · ‎04-16-2011

Dera Sir,

I'm glad to see you advice and your command,

I would like to show my diagram and i would like to do on my diagram, Could you advice if possible if i do interface lo0? If have any many branches do i use interface lo0?and you let me me know why we use interface lo0 i not clear about this command ?

Best Regards,

Rechard

rechard_david · ‎06-06-2011

Dear All,

Do you have any update on this ?

it very urgent!!! please help !!!

Best Regards,

Rechard