I have 2 routers connected to the same LAN and with a WAN interface connected to INTERNET. On this 2 routers i want to terminate an IPSEC tunnel on each one from a remote office, for redundancy. In case a router fails for various reason the second IPSEC tunnel I want to be functional and handle the traffic.
What are my options ? How I can each this functionality? I have made a lot of search on google but nothing concludent.
At the remote office you need to put both the WAN ip of the routers in you peer address and enable keeplives. If tunnel to one of the peer fails it will automatically swtich over to the second ip.
Since they both share same LAN, internal routing could become an issue, for that i would suggest to implement HSRP with interface tracking so that your routers can make routing changes between them as per the situation.
I would address the problem completely different then the other commenters in this thread. Of course native IPSec has all the tools to provide redundancy on it's own. But if you switch from crypto-map-based VPNs to virtual tunnel interfaces (VTI) you can build one tunnel from your remote to the each Hub-router. By running a routing-protocol in the tunnel you use that functionality to determine which path is available. That's much more comfortable and easier then using the native IPsec-tools.
Sent from Cisco Technical Support iPad App
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
Ok, but what i need is standard ipsec redundancy because i want to agregate on 2 routers (HQ) VPNs with diffrent partners, so I can not impose the type of IPSEC VPN. It should be a common one, which everyone uses nowadays.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...