Cisco Router-to-Router VPN Backup for Point-to-Point Links

Posted on 2004-11-22
Last Modified: 2012-06-27
Site 1:
3640: IOS 12.3 IP / FW / IDS Plus IPSEC 3DES
E0/0: / 24
E1/0: A.B.C.D / 24
S0/1: /29

Site 2:
2611: IOS 12.3 IP / FW / IDS Plus IPSEC 3DES
FA0/0: /24
FA0/1: E.F.G.H / 24
S0/0: /29

Sites are currently connected via Serial Point-to-Point.  The Goal here is dynamically use the E1 ports to create an IPSec Tunnel / VPN when / If the Point-to-Point fails.  The Letters on both Site represent the Current IP address provided by the ISP.  Both Sites use OSPF now for Routing however I would move to a static or floating route if it makes it easier and works.

I have reviewed both these sites and am still bit confused.

I'm really interested in what both running configurations would look like.  

Any Willing Help?

Cheers, Shawn
Question by:syerkes
    LVL 6

    Expert Comment

    Let me understand this. You have a point to point link which will be your primary, and you need to use the VPN as your secondary. Simple to acheive

    You need to configure the IPsec VPN part, for which a lot of posts are available on this forum. The trick is in the routing. Your primary link is the serial, and therefore that should have a route with a lower metric. The VPN link can have a floating static, with a higher metric. When the serial link fails, the routers will automatically route the data towards the E1 links.

    Since the VPN policies are already defined and applied, the tunnel is built on the fly and data sent through the VPN. Once the serial link comes up again, data will againg take the serial link being the lower cost route.

    The VPN tunnel will be torn down after the timeout period. Suggest you set the timeout to a reasonable value like one hour.

    If you need help on actual configs, will be glad to help.

    Author Comment

    You are correct in stating the Goals.  Primary link is p-to-p, backup is VPN.  Timeout period of a hour is fair, I assume it is to prevent link flap or routing problems.  

    I would like to see an actual sample config for both sides.  Once I have that I believe it will be simple for me to reverse engineer it and understand .  I surprised one doesn't exist on

    Thanks for you response fullerms.  I will be watching for the Examples.  -Shawn
    LVL 6

    Accepted Solution

    Here you go.

    crypto isakmp policy xx
     encr 3des
     hash md5
     authentication pre-share
     lifetime 3600

    crypto isakmp key (preshared secret key) address (remote peer)
    crypto ipsec transform-set (somename) esp-3des esp-md5-hmac

    crypto map somemapname  ipsec-isakmp
     description "ffff"
     set security-association lifetime seconds 3600
     set peer (remote peer)
     set transform-set (somename)
     match address 190

    access-list 190 permit ip x.x.x.x y.y.y.y  ( has to be a mirror image of the other side. pls note that you need to use inverse masks)

    In addition, you need to apply the cryptomap to an interface

    interface something
    crypto map somemapname

    You also need to add routes to the primary link and floating routes to the VPN link

    Let me know if you need more information

    LVL 6

    Expert Comment

    Can we close this question?

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    Suggested Solutions

    The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
    In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now