×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

how to disable a VPN tunnel - Site-to-Site

Unanswered Question
Jun 17th, 2014
User Badges:

Hello all!

I want to know how to make a VPN disable.

I have a VPN configured and working fine. But, I needed to create a second VPN for the same company, just for backup, so, in that case, I have a different peer.

That backup VPN, I want to configure it, but, Im looking for a way to make it disable. For example, we can disable an ACL, we can disable a NAT... How to disable a VPN?

The idea is, when I need to make backup works, I just make it Enable, something like this.

Thanks,


Diego

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Marvin Rhoads Tue, 06/17/2014 - 16:28
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

You can just add a secondary peer address if all other parameters are the same. That way when the primary goes down, the VPN will automatically establish to the secondary with no manual intervention required. Something like:

crypto map VPNMAP 10 set peer 1.1.1.1 2.2.2.2

You will also need to have a tunnel-group for each peer with the same PSK set.

Diego Maciel Gomes Tue, 06/17/2014 - 19:22
User Badges:

Hi Marvin, thanks for help too!

I did not know about a secondary peer. I will insert the secondary in the respective crypto map. I will take a look about the tunnel-group!

But, if the protected traffic is different in the remote network, I cannot use it? Because in the Production the remote network is X and in the backup VPN, the remote network is Y.. so they are differents.

Marvin Rhoads Wed, 06/18/2014 - 07:11
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

You're welcome.

If there are different subnets on each, you can't use it without some changes.

What you could do is just make the single access list / cryptomap include both sets of subnets. Whether or not that would suit would depend on how the applications and systems that use the network fail over.

nkarthikeyan Tue, 06/17/2014 - 19:06
User Badges:
  • Gold, 750 points or more

Hi ,

You can configure back VPN as suggested by Marvin. But for making the primary down you clear the vpn peer and do test once you have the backup tunnel ready.

 

Regards

Karthik

Diego Maciel Gomes Fri, 06/20/2014 - 09:33
User Badges:

Thanks guys!

With your help, I did a plan for it and I will test it next weekend!

I will post it on Monday!!

Thanks one more time!

 

Diego

Diego Maciel Gomes Sun, 06/22/2014 - 07:28
User Badges:

Hello Guys!

I configured the new tunnel, with the same PSK.

I edited the crypto map and inserted the new Peer Bkp.

I noticed that a new Connection Profile was created... so I entered to check and when I try to change inside the options, just to check, I received some messages that follow attached... Is it normal???

I changed the IPs for "Peer Prod" and "Peer Bkp" just for security.

The same message appears when I try to edit the Peer Prod Connection Profile as well.

Thanks!

Diego

Attachment: 

Actions

This Discussion

Related Content