Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

High Availability VPN

Has anyone successfully managed to configure a high availability VPN using two ISPs connected with site-to-site IOS routers? I want to install two different ISPs at a remote location and have the VPN tunnel re-establish if the primary internet connection goes down. I have read the white paper, and it deals mainly with a redundant home site using two routers. I would like to setup something similar with one router at each location, but have two Internet connections at the remote site. I currently have it working with one internet connection, and ISDN backup. I am running EIGRP across a GRE tunnel and have floating static routes to bring up my ISDN. My main problem is with routing and default routes. I need to be able to change my default route to the backup ISP when the first fails, but I can't run any type of dynamic routing protocol, such as BGP, since I am using cable modem/DSL. This is necessary in order to establish the crypto tunnel.

I have simulated two ISP connections connected to a hub with an uplink to the external side of a 2621 with two IP addresses primary/secondary. I figured that I could assign IPs from both ISPs to the external interface and set two routes to my HQ peer with equal metrics to the default gateways of their respective ISPs. However, it only seems like the primary address is ever tried for the tunnel creation, even if the link is down. How can I get it to fail over to the secondary IP and try to establish the tunnel, using the second route to the peer, when the first ISP link goes down?

Any ideas are appreciated.


Billy Dedek


Re: High Availability VPN

Won't defining multiple peers in the crypto map statement solve the problem? You are allowed to define multiple peers using the crypto map set peer command. With this configuration, in the case that the first peer is unavailable, the second peer will be tried. if that too fails, the third peer will be tried and so on. For example:

router (config-crypto-map)#set peer

router (config-crypto-map)#set peer

Of course, you will still need to know if the remote network is up or down. If the only problem that you are faced with has to do with using a dynamic routing protocol, you could go ahead and use it and then play with the timers to minimise the link utalization or consider something like snapshot routing. The problem wont go away entirely but reduced to a great extent. The only other way you seem to have is manual intervention.

CreatePlease login to create content