Multiple Set Peer for VPN Failover
Yes, this is the right way to do it. You can also set the default
keyword after set peer ...
if you prefer to use one of the two routers by default
Related videos on Youtube
Kyle Brandt
Updated on September 17, 2022Comments
-
Kyle Brandt over 1 year
I will have two Cisco routers at Location A serving the same internal networks, and one router in location B.
Currently, I have one router in each location with a IPSec site-to-site tunnel connecting them. It looks something like:
Location A:
crypto map crypto-map-1 1 ipsec-isakmp description Tunnel to Location B set peer 12.12.12.12 set transform-set ESP-3DES-SHA match address internal-ips
Location B:
crypto map crypto-map-1 1 ipsec-isakmp description Tunnel to Location A set peer 11.11.11.11 set transform-set ESP-3DES-SHA match address internal-ips
Can I achieve fail over by simply adding another set peer at location B?:
Location A (New secondary Router, configuration on previous router stays the same):
crypto map crypto-map-1 1 ipsec-isakmp description Tunnel to Location B set peer 12.12.12.12 set transform-set ESP-3DES-SHA match address internal-ips
Location B (Configuration Changed):
crypto map crypto-map-1 1 ipsec-isakmp description Tunnel to Location A set peer 11.11.11.11 ! 11.11.11.100 is the ip of the new second router at location A set peer 11.11.11.100 set transform-set ESP-3DES-SHA match address internal-ips
Cisco Says:
For crypto map entries created with the crypto map map-name seq-num ipsec-isakmp command, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the router heard from (received either traffic or a negotiation request from) for a given data flow. If the attempt fails with the first peer, Internet Key Exchange (IKE) tries the next peer on the crypto map list.
But I don't fully understand that in the context of a failover scenerio (One of the routers as Location A blowing up).
-
TT Boy over 9 yearsWorked like a charm for me