Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN redundancy per destination?

Hi All, I'm busy setting up a vpn for one of my clients. they need to have the same vpn tunnel with same source - destination interesting traffic but terminating on two different public ips. so this should have sort of a primary vpn should it fail then a secondary vpn should take over. this is not the redundant isp scenario.

Network A - B ------------vpn---------terminate on X (most preffered)

Network A- B -------------vpn---------terminate on Y (less preferred)

1 ACCEPTED SOLUTION

Accepted Solutions

On the ASA, you can do it

On the ASA, you can do it with the primary crypto map having a higher priority than the backup, but using the same ACLs. If the first map can't peer, the second one will establish. It's worth setting lower lifetimes on the IPSec SA for this. You may also want I consider setting the hub to be originate-only and the spokes to be receive-only so that you don't have a spoke creating a new SA when you don't want it to.

4 REPLIES

What platform are you using

What platform are you using to terminate these VPNs? If you're using routers rather than security appliances, you can use tunnel interfaces and run a routing protocol to manage the traffic. 

New Member

Hi Jody, I'm using the

Hi Jody, I'm using the ASA5555-X appliances
 

On the ASA, you can do it

On the ASA, you can do it with the primary crypto map having a higher priority than the backup, but using the same ACLs. If the first map can't peer, the second one will establish. It's worth setting lower lifetimes on the IPSec SA for this. You may also want I consider setting the hub to be originate-only and the spokes to be receive-only so that you don't have a spoke creating a new SA when you don't want it to.

New Member

Thanks Jody, much appreciated

Thanks Jody, much appreciated

75
Views
0
Helpful
4
Replies
CreatePlease to create content