Setting up multiple IPSEC VPN peers on Cisco IOS & IOS XE

When working with CISCO router based IPSEC VPN tunnels, we might need to enable HA feature for the continuous connectivity with the remote peer. By default, we use just a single peer IP address. But if the remote peer is dead for some reason, we face issues with IPSEC tunnel failure. In order to mitigate that risk, we can use the feature called “default peer” . What it does is, it enable us to define multiple redundant peers instead of a single peer.

The most preference is always given to the “default” peer. If the default peer IP address is unreachable for any reason, the next available peer will be elected as the tunnel peer. The peer status is detected by a feature called “Dead Peer Detection (DPD)”. So, lets jump into the config,

(NOTE: always verify whether these command-lets are supported by the router)

Configuring a Default Peer

enable
configure terminal
crypto map map-name seq-num ipsec-isakmp profile profile-name
set peer ip-address default
exit

We have successfully setup the default peer and the alternative peer, so next step is to define a fail-over timer. In order to do that, we need to define the values in seconds.

set security-association idletime 120 default

So, a well defined configuration look like below

crypto map client-map 132 ipsec-isakmp
set peer 1.1.1.1 default
set peer 2.2.2.2
set security-association idletime 120 default 

Author: Chathura Ariyadasa

A highly talented IT professional with extensive experience and capabilities in performing a variety of IT Security, Computer Networking and IT Help Desk duties and responsibilities in the IT Department.