Failover VPN topology using a peer-group example

Last Updated : Nov 06, 2012 | 
! 
! Define the Private Subnet1 
!
interface vlan 1
   description Branch Subnet1
 
   ip address  10.0.10.1 255.255.255.0 
   icc-vlan
   pmi
   exit
! 
! Define the Private Subnet2
!
interface vlan 2
   description Branch Subnet2
 
   ip address  10.0.20.1 255.255.255.0 
   exit
! 
! Define the Public Subnet 
!
interface fastethernet 10/3
   ip address 100.0.0.2 255.255.255.0 
   exit
!
! Define the default gateway the public interfce 
!
ip default-gateway 100.0.0.1 
!
! We wish to check 5 hosts in the Corporate intranet behind the current VPN 
! remote peer, and if 2 or more hosts don’t work then keepalive-track will fail , 
! and  we will move to the next peer in the peer-group
!
rtr 1
   type echo protocol ipIcmpEcho <host1 IP>
   exit
rtr-schedule 1 start-time now life forever
rtr 2
   type echo protocol ipIcmpEcho <host2 IP>
   exit
rtr-schedule 2 start-time now life forever
rtr 3
   type echo protocol ipIcmpEcho <host3 IP>
   exit
rtr-schedule 3 start-time now life forever
rtr 4
   type echo protocol ipIcmpEcho <host4 IP>
   exit
rtr-schedule 4 start-time now life forever
rtr 5
   type echo protocol ipIcmpEcho <host5 IP>
   exit
rtr-schedule 5 start-time now life forever
track 11 rtr 1
  exit
track 12 rtr 2
  exit
track 13 rtr 3
  exit
track 14 rtr 4
  exit
track 15 rtr 5
  exit 
track 1 list threshold count
  threshold count up 5 down 3
  object 11
  object 12
  object 13
  object 14
  object 15
  exit
!
! Define the IKE Entity 
!
crypto isakmp policy 1
   encryption aes
   hash sha
   group 2
   authentication pre-share
   exit
! Define the remote peers (3 main offices)
!
crypto isakmp peer address <First Main Office VPN address>  
   pre-shared-key <key1>
   isakmp-policy 1
   keepalive-track 1
   exit
crypto isakmp peer address <Second Main Office VPN address> 
   pre-shared-key <key2>
   isakmp-policy 1
   keepalive-track 1
   exit
crypto isakmp peer address <Third Main Office VPN address> 
   pre-shared-key <key3>
   isakmp-policy 1
   keepalive-track 1
   exit
crypto isakmp peer-group main-hubs
    set peer <First      Main Office VPN address> 
    set peer <Second Main Office VPN address> 
    set peer <Third    Main Office VPN address> 
    exit
!
! Define the IPSEC Entity 
!
crypto ipsec transform-set ts1 esp-3des esp-sha-hmac
   exit
!
! Define the VPN Tunnel 
! 
crypto map 1
   set peer-group  main-hubs
   set transform-set ts1
   exit
! Define the crypto list for the public interface
!
 ip crypto-list 901
   local-address Fast Ethernet 10/3.0
 
   ip-rule 10
      source-ip      10.0.10.0 0.0.0.255
      destination-ip any
      protect crypto map 1
      exit
   ip-rule 20
      source-ip      10.0.20.0 0.0.0.255
      destination-ip any
      protect crypto map 1
      exit
   exit
!
! Define the Ingress access control list for the public interface
!
ip access-control-list 301
   ip-rule 10
      source-ip            any
      destination-ip       any
      ip-protocol          udp
      udp destination-port eq Ike
      composite-operation  Permit
      exit
   ip-rule 11
      source-ip any
      destination-ip any 
      ip-protocol     udp
      udp destination-port eq Ike-nat-t
      composite-operation permit
      exit
   ip-rule 12
      source-ip any
      destination-ip any 
      ip-protocol     udp
      udp destination-port eq Ike-nat-t-vsu
      composite-operation permit
      exit
   ip-rule 20
      source-ip            any
      destination-ip       any
      ip-protocol          esp
      composite-operation  Permit
      exit
   ip-rule 30
      source-ip            any
      destination-ip       any
      ip-protocol          icmp
      composite-operation  Permit
      exit
   ip-rule 40
      source-ip            any
      destination-ip       10.0.10.0 0.0.0.255
      composite-operation  Permit
      exit
   ip-rule 50
      source-ip            any
      destination-ip       10.0.20.0 0.0.0.255 
      composite-operation  Permit
      exit
   ip-rule default
      composite-operation deny
      exit
    exit
! Define the Egress access control list for the public interface
!
ip access-control-list 302
   ip-rule 10
      source-ip            any
      destination-ip       any
      ip-protocol          udp
      udp destination-port eq Ike
      composite-operation  Permit
      exit
   ip-rule 11
      source-ip any
      destination-ip any 
      ip-protocol     udp
      udp destination-port eq Ike-nat-t
      composite-operation permit
      exit
   ip-rule 12
      source-ip any
      destination-ip any 
      ip-protocol     udp
      udp destination-port eq Ike-nat-t-vsu
      composite-operation permit
      exit
   ip-rule 20
      source-ip            any
      destination-ip       any
      ip-protocol          esp
      composite-operation  Permit
      exit
   ip-rule 30
      source-ip            any
      destination-ip       any
      ip-protocol          icmp
      composite-operation  Permit
      exit
   ip-rule 40
      source-ip            10.0.10.0 0.0.0.255
      destination-ip       any
      composite-operation  Permit
      exit
   ip-rule 50
      source-ip            10.0.20.0 0.0.0.255 
      destination-ip       any
      composite-operation  Permit
      exit
   ip-rule default
      composite-operation deny
      exit
    exit
!
! Activate the crypto list and the access control list on the public 
interface
!
interface fastethernet 10/3
   ip crypto-group 901
   ip access-group 301 in
   ip access-group 302 out
   exit
Related information
IPSec VPN