Tunnel failover using a crypto map with multiple peers

Establish tunnel failover using a crypto map with multiple peers.

Before you begin

Attention: On Cisco ISR, Network Address Translation (NAT) takes place before the crypto map ACLs are processed. Because of this, if you have NAT enabled for the client networks that are to go through the VPN, then you must make NAT exemptions that exclude the address translation from occurring. If you do not make these NAT exemptions, then the crypto map ACL will not be matched and your IPsec tunnel will not work.

Steps

  1. Configure a crypto map and associate your transform set, IKEv2 profile, access-list, and peer IP address to it. Configure multiple peers in order to achieve tunnel failover.
    crypto map <crypto map Name> ipsec-isakmp
    set peer <primary_destination_address>
    set peer <secondary_destination_address>
    set security-association lifetime seconds 28800
    set transform-set <Transform Set Name>
    set ikev2-profile <IKEv2 Profile Name>
    match address <access list number>
    Example:
    crypto map FONE_map ipsec-isakmp
    set peer 3.141.173.255
    set peer 13.250.218.49
    set security-association lifetime seconds 28800
    set transform-set FONE_set
    set ikev2-profile FONE_profile
    match address 100
  2. Associate the crypto map to the outgoing interface.
    interface <outgoing_interface>
    crypto map <crypto map Name>
    Example:
    interface GigabitEthernet0/0
    crypto map FONE_map