Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Scenario with secondary backup vpn peer and NAT


I have following scenario with 2x IOS routers at the center and multiple clients to be connected over IPSEC VPN around. The clients will consist of Cisco routers, Cisco firewalls, Juniper, Checkpoint and some other vendor equipment. I have two peers (above listed routers) connected to the same private cloud of servers clients need access to. Static crypto map is a must, since we don't have access to the client equipment and this is the most generic implementation of IPSEC to be available between different vendor equipment. The plan is to provide two peers to each remote client, and in case of Cisco router, instruct clients to specify them under the same crypto map with single crypto interesting ACL, i.e.

crypto map mymap 10

set peer default

set peer yyy.yyy.yyy.yyy

Routers at the center are configured with static crypto map for each client router, translating (NAT) each customer's source IP address (on crypto-interesting list)  into some internal network due to possible overlapping networks.

Each router translates into it's own different IP address pool and there is stateful firewall after each router and server is behind this firewall.

For example client A source IP address will be translated to if client A connects to first location and same Client A source IP address will be translated into if client A connects to the secondary location.

My question is, although it is very unlikely that client could be connected to both peers at the same time, since the server application is designed not to initiate any  outgoing connections to the remote clients and it is blocked on firewall, but just in case of simultaneous connections from the same peer to both routers, which peer will take over and what will happen to the existing TCP sessions? Will they be cut when second IPSEC SA initiated (due to NAT and stateful firewall at the center would drop ACKs wihen no SYN) causing just temporarily service disruption and which of the peers will take over to route the traffic to?

Responder only crypto map is unfortunately not available at the central routers due to VTI is not applicable for this environment.


I believe this is a bit complicated scenario so, Experts, need your advice!

CreatePlease to create content