I have two offices which are linked by a vpn connection using Cisco 857 routers. The broadband connection isn't very reliable, so both offices have had a second broadband line installed (through a different ISP).
Each office now has two cisco routers, both configured with a vpn tunnel to each cisco router in the other office.
In office A, both Cisco routers have an internal IP of 192.168.2.1
In office B, both Cisco routers have an internal IP of 192.168.3.1
Only one router at each office is swithched on at any time. The idea is, should the broadband connection drop in either office, the appropriate router can be switched off, and the other router switched on. It would then establish a vpn connection with whichever VPN tunnel was available.
I have tested this, but it is not working as expected.
Office A can make a successful VPN tunnel to office B when both use router A
When the router at either end is changed, the VPN tunnels cannot be established. However,
Office A can make a successful VPN tunnel to office B when both use router B
Is it possible to achieve this?
I suggest you to configure HSRP on LAN interface between two routers so that you don't need manually switch off the router. As for why VPN not working, I still need the following info
- current config on all 4 routers
- debug output of "debug crypto isa sa" and "debug crypto ipsec sa" when vpn is not working.
Config looks good if you did not have any typo on IP address. Let's try the following.
1. establish VPN on routerA between office A and B.
2. enable debug on router A at office A and router B at office B
- debug crypto isa
- debug crypto ipsec
3. shut down router A at office B. I am not sure how the traffic is sent between office A and B. But if you use a PC in the inside network, you need pay attention to its ARP entry of default gataway IP. It might still point out to router A. That's why I suggest you to use HSRP here. Remember that you must have the related traffic to bring up the VPN.
4. The debug output form both sides should give us a clue on why vpn between routerA and routerB could not be established. HTH.
Thanks for the advice. I will try the vpn test as soon as I can.
I have not used or configured HSRP before. I am not sure whether it is support on my router (857), is there an easy command I can issue to test?
If there is no traffic - will the VPN still be established? or must there be some traffic first?
Here is the link to HSRP
No, VPN won't be established until you initiate traffic which need to go through the VPN tunnel.