Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
878
Views
5
Helpful
3
Replies

crypto map with two peers for redundancy

rabeder
Level 1
Level 1

‎10-05-2006 04:57 AM - edited ‎03-03-2019 02:14 PM

hi,

i have a hub router which has crypto connection to a spoke router.

konfig:

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key 321tmobile(max) address 10.18.239.243

!

!

crypto ipsec transform-set xyz esp-3des esp-md5-hmac

!

crypto map aa 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set xyz

match address xyz

interface FastEthernet0

ip address 1.2.2.2 255.255.255.0

full-duplex

crypto map aa

now i have the task to implement a second spoke for redundancy.

now i am searching for a solution to build a second "vpn-tunnel" (a second peer statement?) to the redundancy router.

but how can i say to the hub router that it normally should use the first "vpn-tunnel" and only in the case of failure it should use the second one.

thanks

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎10-05-2006 05:12 AM

Kurt

There are several ways in which this can be implemented. I have implemented this environment with IPSec VPN tunnels to implement redundancy. The way that we did it was to run two tunnels, to run a dynamic routing protocol over the tunnels (we chose EIGRP but any dynamic interior protocol would do), and manipulated the routing metric to use one tunnel as primary and one tunnel as backup. In this case we added a second instance of the crypto key for the second peer, and added a second instance in the crypto map (crypto map aa 20 ipsec-isakmp).

HTH

Rick

HTH

Rick
0 Helpful

farkascsgy
Level 4
Level 4

‎10-05-2006 05:17 AM

Hi,

You can do this with routing protocols, if you have multiple paths to the same destination just fine tune your routing protocols. In case of Eigrp modify the bandwith of the Tunnel (higher is better) in case of OSPF modify the cost of the Tunnel (lower is better). I also use two tunnels to the same destination and I prioritize one of them with bandwith command. Be sure that in case of Eigrp on both end of the tunnel you use the same bandwith value - anyway traffic goes on tunnel A and could be happen to come back on tunnel B....

If you need more info please explain your routing habits...

bye

FCS

Please rate me if I helped.

0 Helpful

royalblues
Level 10
Level 10
In response to farkascsgy

‎10-05-2006 11:16 PM

Kurt,

You can also try the IPSec Preferred Peer with DPD (dead peer detection).

Check the following link for details

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00803f86ca.html

HTH, rate if it does

Narayan

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card