Cisco Support Community
Community Member

site-to-site VPN design

Need to set up a site-to-site vpn b/w home and branch office. The branch office is connecting back to its ISP via 2 E1 circuits. We are load balancing between the 2 E1's via static routes. In the past I have terminated VPN tunnels on the WAN facing IP address. However, in this case I have two different IP addresses for each E1. Are there any caveats in moving the VPN endpoint to the LAN facing interface on the router? Is there a better design approach that is more commonly used with this type of topology? thanks in advance.

Cisco Employee

Re: site-to-site VPN design


IPsec VPN can very well work if you configure the LAN facing interface for it.

In this case, you can configure redundancy using floating static routes, so that if one of the E1 is down, you still have VPN working with the other E1.

Something like :

ip route E1(A)

ip route E1(B) 2

The higher metric E1 link will encrypt only when the other E1 is dwown. In This case, you will apply the crypto map on both the interfaces.

On the remote device, you will configure the crypto map with two set peers. E.G.

cry map 2 ipsec-isakmp

set peer e1(A)

set peer e1(B)


This is just an advantage of having two Public Interfaces. You can configure only one interface for VPN also if you want. I don't see any issue wit hthat.

*Please rate if helped.


CreatePlease to create content