Route VPN connection during DR site failover

Posted on 2013-05-16
Medium Priority
Last Modified: 2013-05-22
Currently we have a few clients that we have a site to site vpn connection with to our data center.  We are in the process of adding a DR site in the event our primary data center fails.  My question is "how can I get the site to site connections to connect to the DR site?"    If we fail to the DR site the IP obviously changes and the connection is not valid.  How does the client recognize that traffic needs to go through a new vpn connection?
Question by:NytroZ
LVL 28

Expert Comment

ID: 39171910
If they're using Cisco IOS-based devices, you can just add a second peer address to the crypto map.  If the first peer is unavailable, the VPN will switch to the second peer.

In our testing, it took about 30 seconds to detect the failure and switch to the new peer.
LVL 10

Accepted Solution

convergint earned 2000 total points
ID: 39171926
Does your DR site have an internet connection or is it only connected to your main data center?  If it does have it's own connection and assuming you have a capable VPN router, just add a secondary gateway to the VPN that points to your DR site.

If it is only connected to your primary site, then you will need to add it's subnet to the VPN network routes.  Again it depends on what VPN routers you are using.  We are using Sonicwalls and they have a lot of capability for additional routes on VPNs and two gateways.

Author Comment

ID: 39172027
So if I understand correctly, the client needs to add the a second entry into the VPN connection for the IP address of the DR site endpoint.  If our primary IP address is unavailable the second IP address(DR site IP) will negotiate the connection?  The DR site has its own connection.
LVL 28

Expert Comment

ID: 39172401
Yes.  The DR will need its own router/VPN device, which will need to be configured to accept the VPN connections.
LVL 20

Expert Comment

ID: 39174700
Depending on how things are setup, you will also need to look at how to handle routing failover. It's one thing to have the VPN end points failover, but it can sometimes be a challenge to get traffic to route to the correct firewall when the firewall is up and running but the internet connection is down. Everything depends on how routing is currently setup.

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Just after setting up Cloud PBX connectivity and migrated Skype users to SFBO, we noticed inbound calls not working but outbound calls would work.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question