Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Crypto overiding static route


I have a 1900 router in a remote location with one LAN and two external connections A & B.

Connection A is a wireless point to point back to HQ (layer 2)

Connection B is a DSL running an IPSEC VPN back to HQ (layer 3)

Connection A is the live link running layer 2 so the HQ subnet is spanned out to the remote location.

I want to make the remote site layer 3 and use Connection B as a backup.

But how can I run both connections for redundancy without the crypto taking precedence over wireless point to point which will have a default static route with metric 1 whereas the VPN will be defalt route metric 2.

Is there a command or config to allow the routes to get checked first before the crypto? I hope I have explained this well enough.




Crypto overiding static route

I can't really picture this. Do the clients at the remote location have the same IP addressing as the clients at the head office? Does the remote location access the Internet through the head office?

In any case using static routes will require you to manually make a change whenever a link fails. It may be best to run a routing protocol over the wireless link or static routes with tracking and have a backup default route that points to the head office over the DSL link.

Cisco Employee

Re: Crypto overiding static route

Hi Fergal,

IPSec VPN as backup link is normal setup, this should work fine. Can you post your remote router's config, maybe just something simple.

Lei Tian

Sent from Cisco Technical Support iPhone App

New Member

Re: Crypto overiding static route

Hi Lei Tian,

I have implemented this solution yet but speaking with others apparently crypto does take precedence over a static route.

Is there documentation anywhere to prove this. I proposed the solution to the customer thinking the very same as you stated but now I'm doubtful.


Re: Crypto overiding static route

Hi Fergal just keep in mind that routing has to take place before you can encrypt, in other words the router has to determine the exit interface for the destination before encryption can be applied, which means if you have a static route that sends traffic over your primary link then that is where the traffic will go. If the primary link is down/disconnected will you be able to send traffic over the backup link whether manually or automatically. My thoughts on how to accomplish that are in my previous post.

I believe there is an order of operation document for routers somewhere, I will see if I can find it.