10-05-2006 04:57 AM - edited 03-03-2019 02:14 PM
hi,
i have a hub router which has crypto connection to a spoke router.
konfig:
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key 321tmobile(max) address 10.18.239.243
!
!
crypto ipsec transform-set xyz esp-3des esp-md5-hmac
!
crypto map aa 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set xyz
match address xyz
interface FastEthernet0
ip address 1.2.2.2 255.255.255.0
full-duplex
crypto map aa
now i have the task to implement a second spoke for redundancy.
now i am searching for a solution to build a second "vpn-tunnel" (a second peer statement?) to the redundancy router.
but how can i say to the hub router that it normally should use the first "vpn-tunnel" and only in the case of failure it should use the second one.
thanks
10-05-2006 05:12 AM
Kurt
There are several ways in which this can be implemented. I have implemented this environment with IPSec VPN tunnels to implement redundancy. The way that we did it was to run two tunnels, to run a dynamic routing protocol over the tunnels (we chose EIGRP but any dynamic interior protocol would do), and manipulated the routing metric to use one tunnel as primary and one tunnel as backup. In this case we added a second instance of the crypto key for the second peer, and added a second instance in the crypto map (crypto map aa 20 ipsec-isakmp).
HTH
Rick
10-05-2006 05:17 AM
Hi,
You can do this with routing protocols, if you have multiple paths to the same destination just fine tune your routing protocols. In case of Eigrp modify the bandwith of the Tunnel (higher is better) in case of OSPF modify the cost of the Tunnel (lower is better). I also use two tunnels to the same destination and I prioritize one of them with bandwith command. Be sure that in case of Eigrp on both end of the tunnel you use the same bandwith value - anyway traffic goes on tunnel A and could be happen to come back on tunnel B....
If you need more info please explain your routing habits...
bye
FCS
Please rate me if I helped.
10-05-2006 11:16 PM
Kurt,
You can also try the IPSec Preferred Peer with DPD (dead peer detection).
Check the following link for details
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00803f86ca.html
HTH, rate if it does
Narayan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide