VPN hub redundancy and load sharing topologies example

Last Updated : Dec 06, 2023 | 
crypto isakmp policy 1
    encryption aes
    hash sha
    group 2
    authentication pre-share
    exit
crypto isakmp peer address <Primary Main Office Internet public Static IP Address>
   pre-shared-key  <key1>
   isakmp-policy 1
   exit
crypto isakmp peer address <Backup Main Office Internet public Static IP Address>
   pre-shared-key  <key2>
   isakmp-policy 1
   exit
crypto ipsec transform-set ts1 esp-3des esp-sha-hmac
   exit
crypto map 1
    set peer <Primary Main Office Internet public Static IP Address>
    set transform-set ts1
    exit
crypto map 2
    set peer <Backup Main Office Internet public Static IP Address>
    set transform-set ts1
    exit
ip crypto-list 901
    local-address <Branch Office Internet public Static IP Address>
ip-rule 1
         source-ip host <Branch GRE Tunnel end point IP Address> 
         destination-ip host <Primary Main Office GRE Tunnel end point IP 
         Address>
protect crypto map 1
         exit
ip-rule 2
         source-ip host <Branch GRE Tunnel end point IP Address> 
         destination-ip host <Backup Main Office GRE Tunnel end point 
         IP Address>
protect crypto map 2
         exit
      exit
ip access-control-list 301 
      ip-rule 30 
               source-ip any
               destination-ip any
               ip-protocol udp 
               udp destination-port eq Ike 
               composite-operation  Permit
               exit
      ip-rule 31
              source-ip any
              destination-ip any 
              ip-protocol     udp
              udp destination-port eq Ike-nat-t
              composite-operation permit
              exit
      ip-rule 32
               source-ip any
               destination-ip any 
               ip-protocol     udp
               udp destination-port eq Ike-nat-t-vsu
               composite-operation permit
               exit
      ip-rule 40 
               source-ip any
               destination-ip any
               ip-protocol esp 
               composite-operation  Permit
               exit
      ip-rule 50 
               source-ip any 
               destination-ip host  <Branch Office Public Internet Static
               IP Address>
               ip-protocol icmp 
               composite-operation  Permit
               exit
      ip-rule 60 
               source-ip any
               destination-ip any
               composite-operation  Permit
               exit
    ip-rule 70 
               source-ip host <Backup Main Office GRE Tunnel end point 
               IP Address>
         destination-ip host <Branch GRE Tunnel end point 
               IP Address> 
               composite-operation  Permit
               exit
      ip-rule default
               composite-operation  deny
               exit
      exit  
ip access-control-list 302 
ip-rule 30 
               source-ip any
               destination-ip any
               ip-protocol udp 
               udp destination-port eq Ike 
               composite-operation  Permit
               exit
      ip-rule 31
              source-ip any
              destination-ip any 
              ip-protocol     udp
              udp destination-port eq Ike-nat-t
              composite-operation permit
              exit
      ip-rule 32
               source-ip any
               destination-ip any 
               ip-protocol     udp
               udp destination-port eq Ike-nat-t-vsu
               composite-operation permit
               exit
      ip-rule 40 
               source-ip any
               destination-ip any
               ip-protocol esp 
               composite-operation Permit
               exit
      ip-rule 50 
               source-ip any
               destination-ip any
               ip-protocol icmp
 
               exit
      ip-rule 60 
               source-ip host <Branch GRE Tunnel end point IP Address> 
               destination-ip host <Primary Main Office GRE Tunnel end point 
               IP Address>
               composite-operation  Permit
               exit
    
      ip-rule 70 
               source-ip host <Branch GRE Tunnel end point IP Address> 
               destination-ip host <Backup Main Office GRE Tunnel end point 
               IP Address>
               composite-operation  Permit
               exit
      ip-rule default
               composite-operation  deny
               exit
      exit  
interface vlan 1
   description VoIP_VLAN
    ip address <branch voice subnet IP address> <branch voice subnet mask> 
    icc-vlan
    pmi
    exit
interface vlan 2
   description DATA_VLAN
    ip address <branch data subnet IP address> <branch data subnet mask> 
    exit
interface fastethernet 10/3
     encapsulation pppoe
traffic-shape rate 256000
     ip address <Branch Office Internet public Static IP Address> <Branch 
     Office Internet public net mask>
ip crypto-group 901
     ip access-group      301 in
     ip access-group      302 out
     exit
interface Tunnel 1
!
! The following two backup commands specify redundant mode.
! To specify load-sharing mode, omit them. 
!
backup interface tunnel 2 
backup delay 20 15 
keepalive 10 3
    tunnel source  <Branch GRE Tunnel end point 
    IP Address> 
    tunnel destination <Primary MainPrimary Main Office GRE Tunnel 
    end point IP Address>
    ip address 10.10.10.1 255.255.255.252
    exit
interface Tunnel 2
   keepalive 10 3
  tunnel source  <Branch GRE Tunnel end point IP Address> 
   tunnel destination <Backup Main Office GRE Tunnel end point IP Address>
   ip address 20.20.20.1 255.255.255.252
   exit
ip route <Primary Main Offfice GRE Tunnel end point IP Address> 
  255.255.255.255 FastEthernet 10/3 high
ip route <Backup Main Offfice GRE Tunnel end point IP Address> 
  255.255.255.255 FastEthernet 10/3 high
router ospf
   network 10.10.10.0 0.0.0.3 area 0.0.0.0
   network 20.20.20.0 0.0.0.3 area 0.0.0.0
   exit
Related information
IPSec VPN