Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ipsec vrf-aware crypto map with two peers

Hi all,

I have a customer connected to my company with a site to site ipsec vpn tunnel. This customer wants to have a second router that works as backup in case that the first router fails.

I'm working with ipsec VRF-aware and I have configured a profile for this customer and I want to configure both peers in the same crypto map.

My questions are:

1. Is it possible to configure in the crypto isakmp profile two"match identity address" for two different peers ?

2. Is it possible to configure in the crypto keyring two two " pre-shared-key address" for two different peers ? can I use the same pre-shared keys for both ?

3. If a configure "set peer 1.1.1.1 default" and this peer fails, the connection will be established with the second peer. What happens if the default peer is available again ? Does the vpn tunnel remain by 1.1.1.2 or the vpn tunnel will be closed and the start a new connection to the default peer ?

4. What happens if the peers are configured without" default" ? first peer fails, than the connection will be established with the second one and if the second one fails the connection will be stablished with the first one and so on ?

This is my configuration

ip vrf customer

rd 5:5

route-target export 5:5

route-target import 5:5

crypto map mymap 90 ipsec-isakmp

set peer 1.1.1.1

set peer 1.1.1.2

set transform-set tset_3des-sha

set isakmp-profile isakmp_ABC

match address acl_ABC

crypto isakmp profile isakmp_ABC

   vrf customer

   keyring kring_ABC

   self-identity address

   match identity address 1.1.1.1 255.255.255.255

   match identity address 1.1.1.2 255.255.255.255 -> is it possible to configure ???

   keepalive 10 retry 2

  

crypto keyring kring_ABC

  pre-shared-key address 1.1.1.1 key cisco

  pre-shared-key address 1.1.1.2 key cisco-> is it possible to configure?

crypto map mymap 90 ipsec-isakmp

Thanks in advance for your help !

2 REPLIES
Cisco Employee

ipsec vrf-aware crypto map with two peers

The answer to most quesions is "yes, it's possible and it will/shoul work".

For "set peer" behavior. We do not support preemtpion in IPsec (AFAIU).

Have a look at:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1966957785

New Member

ipsec vrf-aware crypto map with two peers

Hi,

Great !! Thanks for your answer. It works.

223
Views
0
Helpful
2
Replies