Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
675
Views
0
Helpful
5
Replies

IPSEC Redundancy

Catalin Sandu
Level 1
Level 1

‎10-28-2013 01:39 PM - edited ‎02-21-2020 07:16 PM

Hello,

I have 2 routers connected to the same LAN and with a WAN interface connected to INTERNET. On this 2 routers i want to terminate an IPSEC tunnel on each one from a remote office, for redundancy. In case a router fails for various reason the second IPSEC tunnel I want to be functional and handle the traffic.

What are my options ? How I can each this functionality? I have made a lot of search on google but nothing concludent.

Thank you for your answers!

Labels:
0 Helpful
5 Replies 5

rizwanr74
Level 7
Level 7

‎10-28-2013 02:05 PM

Hi Catalin,

Thanks for your question.

Most easiest solution for your application is IP-SLA with object tracking.

From your remote office, you establish as normal IP-Sec tunnel to both routers, however the second tunnel to remote office will kick in, only when IP-SLA object tracking fails.

Please go through this thread below and if you have any question, please feel free to ask.

https://supportforums.cisco.com/thread/2034251

thanks

Rizwan Rafeek.


0 Helpful

harshisi_2
Level 1
Level 1

‎10-28-2013 02:12 PM

Hi Catalin,

At the remote office you need to put both the WAN ip of the routers in you peer address and enable keeplives. If tunnel to one of the peer fails it will automatically swtich over to the second ip.

Since they both share same LAN, internal routing could become an issue, for that i would suggest to implement HSRP with interface tracking so that your routers can make routing changes between them as per the situation.

Regards,

~Harry

0 Helpful

Catalin Sandu
Level 1
Level 1
In response to harshisi_2

‎10-28-2013 03:28 PM

Hi,

Can you share an exemple please?

0 Helpful

Karsten Iwen
VIP
VIP

‎10-29-2013 01:32 AM

I would address the problem completely different then the other commenters in this thread. Of course native IPSec has all the tools to provide redundancy on it's own. But if you switch from crypto-map-based VPNs to virtual tunnel interfaces (VTI) you can build one tunnel from your remote to the each Hub-router. By running a routing-protocol in the tunnel you use that functionality to determine which path is available. That's much more comfortable and easier then using the native IPsec-tools.

Sent from Cisco Technical Support iPad App

0 Helpful

Catalin Sandu
Level 1
Level 1
In response to Karsten Iwen

‎10-29-2013 02:33 PM

Ok, but what i need is standard ipsec redundancy because i want to agregate on 2 routers (HQ) VPNs with diffrent partners, so I can not impose the type of IPSEC VPN. It should be a common one, which everyone uses nowadays.

thank you!

0 Helpful
Customers Also Viewed These Support Documents