Multiple Set Peer for VPN Failover

Posted by Kyle Brandt on Server Fault See other posts from Server Fault or by Kyle Brandt
Published on 2010-03-05T13:41:39Z Indexed on 2010/03/25 12:03 UTC
Read the original article Hit count: 392

Filed under:
|
|
|
|

I will have two Cisco routers at Location A serving the same internal networks, and one router in location B.

Currently, I have one router in each location with a IPSec site-to-site tunnel connecting them. It looks something like:

Location A:

crypto map crypto-map-1 1 ipsec-isakmp 
 description Tunnel to Location B
 set peer 12.12.12.12
 set transform-set ESP-3DES-SHA 
 match address internal-ips

Location B:

crypto map crypto-map-1 1 ipsec-isakmp 
 description Tunnel to Location A
 set peer 11.11.11.11
 set transform-set ESP-3DES-SHA 
 match address internal-ips

Can I achieve fail over by simply adding another set peer at location B?:

Location A (New secondary Router, configuration on previous router stays the same):

crypto map crypto-map-1 1 ipsec-isakmp 
     description Tunnel to Location B
     set peer 12.12.12.12
     set transform-set ESP-3DES-SHA 
     match address internal-ips

Location B (Configuration Changed):

crypto map crypto-map-1 1 ipsec-isakmp 
     description Tunnel to Location A
     set peer 11.11.11.11
     ! 11.11.11.100 is the ip of the new second router at location A
     set peer 11.11.11.100
     set transform-set ESP-3DES-SHA 
     match address internal-ips

Cisco Says:

For crypto map entries created with the crypto map map-name seq-num ipsec-isakmp command, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the router heard from (received either traffic or a negotiation request from) for a given data flow. If the attempt fails with the first peer, Internet Key Exchange (IKE) tries the next peer on the crypto map list.

But I don't fully understand that in the context of a failover scenerio (One of the routers as Location A blowing up).

© Server Fault or respective owner

Related posts about cisco

Related posts about ipsec