Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How Do You Establish a Backup VPN Tunnel between Two Routers?

I have 2 routers on the Internet. An IPSec virtual private network (VPN) tunnel has been established between them using ip route statements, not routing protocols. One of the routers has two interfaces to the Internet; one is for backup. What is the simplest way to establish a a second VPN tunnel if the first link should go down?

3 REPLIES
Anonymous
N/A

Re: How Do You Establish a Backup VPN Tunnel between Two Routers

The best thing to do is to let routing handle the failover, using the following steps:

  1. Build a normal backup interface configuration.
  2. Then build a generic routing encapsulation (GRE) tunnel and source it from the local router to the remote router using loopbacks.
  3. Change the crypto map to encrypt the GRE peers rather than the IP networks. If you do it this way, the loopbacks are always up, and therefore so is the GRE tunnel. If the GRE tunnel is up, the traffic is encrypted.
  4. Using GRE removes the issue of stale security associations (SAs) existing and preventing the IPSec tunnel from re-forming after an interface hit.

    For more information, see GRE over IPSec<

    Cisco Employee

    Re: How Do You Establish a Backup VPN Tunnel between Two Routers

    You can use ISDN, etc to backup IPSec, below is a sample config just to give an idea;

    http://www.cisco.com/warp/public/707/ipsec_dialerwatch.html

    R/Yusuf

    Cisco Employee

    Re: How Do You Establish a Backup VPN Tunnel between Two Routers

    You could actually add a second peer statement on your crypto map on the remote (the one with the single interface) to point to the second interface if the

    first one goes down, together with isakmp keepalive.

    crypto map rem_to_home 10 isakmp-ipsec

    set peer 172.18.45.1

    set peer 172.18.45.2

    See resilience descriptions on:

    http://www.cisco.com/warp/public/cc/so/neso/vpn/vpne/vpne_an.htm

    192
    Views
    0
    Helpful
    3
    Replies