Has anyone successfully managed to configure a high availability VPN using two ISPs connected with site-to-site IOS routers? I want to install two different ISPs at a remote location and have the VPN tunnel re-establish if the primary internet connection goes down. I have read the white paper, and it deals mainly with a redundant home site using two routers. I would like to setup something similar with one router at each location, but have two Internet connections at the remote site. I currently have it working with one internet connection, and ISDN backup. I am running EIGRP across a GRE tunnel and have floating static routes to bring up my ISDN. My main problem is with routing and default routes. I need to be able to change my default route to the backup ISP when the first fails, but I can't run any type of dynamic routing protocol, such as BGP, since I am using cable modem/DSL. This is necessary in order to establish the crypto tunnel.
I have simulated two ISP connections connected to a hub with an uplink to the external side of a 2621 with two IP addresses primary/secondary. I figured that I could assign IPs from both ISPs to the external interface and set two routes to my HQ peer with equal metrics to the default gateways of their respective ISPs. However, it only seems like the primary address is ever tried for the tunnel creation, even if the link is down. How can I get it to fail over to the secondary IP and try to establish the tunnel, using the second route to the peer, when the first ISP link goes down?
Won't defining multiple peers in the crypto map statement solve the problem? You are allowed to define multiple peers using the crypto map set peer command. With this configuration, in the case that the first peer is unavailable, the second peer will be tried. if that too fails, the third peer will be tried and so on. For example:
router (config-crypto-map)#set peer 10.10.10.1
router (config-crypto-map)#set peer 10.10.11.1
Of course, you will still need to know if the remote network is up or down. If the only problem that you are faced with has to do with using a dynamic routing protocol, you could go ahead and use it and then play with the timers to minimise the link utalization or consider something like snapshot routing. The problem wont go away entirely but reduced to a great extent. The only other way you seem to have is manual intervention.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :