Learn how to a build a cloud-first strategyRegister Now


Cisco Router-to-Router VPN Backup for Point-to-Point Links

Posted on 2004-11-22
Medium Priority
Last Modified: 2012-06-27
Site 1:
3640: IOS 12.3 IP / FW / IDS Plus IPSEC 3DES
E0/0: / 24
E1/0: A.B.C.D / 24
S0/1: /29

Site 2:
2611: IOS 12.3 IP / FW / IDS Plus IPSEC 3DES
FA0/0: /24
FA0/1: E.F.G.H / 24
S0/0: /29

Sites are currently connected via Serial Point-to-Point.  The Goal here is dynamically use the E1 ports to create an IPSec Tunnel / VPN when / If the Point-to-Point fails.  The Letters on both Site represent the Current IP address provided by the ISP.  Both Sites use OSPF now for Routing however I would move to a static or floating route if it makes it easier and works.

I have reviewed both these sites and am still bit confused.  

I'm really interested in what both running configurations would look like.  

Any Willing Help?

Cheers, Shawn
Question by:syerkes
  • 3

Expert Comment

ID: 12761694
Let me understand this. You have a point to point link which will be your primary, and you need to use the VPN as your secondary. Simple to acheive

You need to configure the IPsec VPN part, for which a lot of posts are available on this forum. The trick is in the routing. Your primary link is the serial, and therefore that should have a route with a lower metric. The VPN link can have a floating static, with a higher metric. When the serial link fails, the routers will automatically route the data towards the E1 links.

Since the VPN policies are already defined and applied, the tunnel is built on the fly and data sent through the VPN. Once the serial link comes up again, data will againg take the serial link being the lower cost route.

The VPN tunnel will be torn down after the timeout period. Suggest you set the timeout to a reasonable value like one hour.

If you need help on actual configs, will be glad to help.

Author Comment

ID: 12770665
You are correct in stating the Goals.  Primary link is p-to-p, backup is VPN.  Timeout period of a hour is fair, I assume it is to prevent link flap or routing problems.  

I would like to see an actual sample config for both sides.  Once I have that I believe it will be simple for me to reverse engineer it and understand .  I surprised one doesn't exist on Cisco.com.

Thanks for you response fullerms.  I will be watching for the Examples.  -Shawn

Accepted Solution

fullerms earned 2000 total points
ID: 12772318
Here you go.

crypto isakmp policy xx
 encr 3des
 hash md5
 authentication pre-share
 lifetime 3600

crypto isakmp key (preshared secret key) address (remote peer)
crypto ipsec transform-set (somename) esp-3des esp-md5-hmac

crypto map somemapname  ipsec-isakmp
 description "ffff"
 set security-association lifetime seconds 3600
 set peer (remote peer)
 set transform-set (somename)
 match address 190

access-list 190 permit ip x.x.x.x y.y.y.y  ( has to be a mirror image of the other side. pls note that you need to use inverse masks)

In addition, you need to apply the cryptomap to an interface

interface something
crypto map somemapname

You also need to add routes to the primary link and floating routes to the VPN link

Let me know if you need more information


Expert Comment

ID: 15575956
Can we close this question?

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question