Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSEC Redundancy


I have 2 routers connected to the same LAN and with a WAN interface connected to INTERNET. On this 2 routers i want to terminate an IPSEC tunnel on each one from a remote office, for redundancy. In case a router fails for various reason the second IPSEC tunnel I want to be functional and handle the traffic.

What are my options ? How I can each this functionality? I have made a lot of search on google but nothing concludent.

Thank you for your answers!

  • VPN

Re: IPSEC Redundancy

Hi Catalin,

Thanks for your question.

Most easiest solution for your application is IP-SLA with object tracking.

From your remote office, you establish as normal IP-Sec tunnel to both routers, however the second tunnel to remote office will kick in, only when IP-SLA object tracking fails.

Please go through this thread below and if you have any question, please feel free to ask.


Rizwan Rafeek.

New Member

IPSEC Redundancy

Hi Catalin,

At the remote office you need to put both the WAN ip of the routers in you peer address and enable keeplives. If tunnel to one of the peer fails it will automatically swtich over to the second ip.

Since they both share same LAN, internal routing could become an issue, for that i would suggest to implement HSRP with interface tracking so that your routers can make routing changes between them as per the situation.



New Member

IPSEC Redundancy


Can you share an exemple please?

VIP Purple

Re: IPSEC Redundancy

I would address the problem completely different then the other commenters in this thread. Of course native IPSec has all the tools to provide redundancy on it's own. But if you switch from crypto-map-based VPNs to virtual tunnel interfaces (VTI) you can build one tunnel from your remote to the each Hub-router. By running a routing-protocol in the tunnel you use that functionality to determine which path is available. That's much more comfortable and easier then using the native IPsec-tools.

Sent from Cisco Technical Support iPad App

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor:
New Member

Re: IPSEC Redundancy

Ok, but what i need is standard ipsec redundancy because i want to agregate on 2 routers (HQ) VPNs with diffrent partners, so I can not impose the type of IPSEC VPN. It should be a common one, which everyone uses nowadays.

thank you!