In high-availability environments, a resilient IPSec VPN configuration is crucial to avoid downtime. Cisco routers support IPSec failover using a combination of HSRP (Hot Standby Router Protocol), stateful crypto maps, and interface tracking. This setup ensures that if the primary VPN router fails, a secondary router can take over seamlessly without disrupting encrypted traffic.

Let’s walk through how to configure IPSec failover across two redundant VPN routers and a peer router on the other side of the tunnel.

On the First IPSec Router

1. Configure HSRP for Redundancy

The first router is set up with HSRP groups on its two interfaces (g1 and g2). These interfaces share virtual IPs with the secondary router.

interface g1
standby 1 ip 10.1.125.254
standby 1 preempt
standby 1 name VPN-HA
standby 1 track 1
interface g2
standby 2 ip 10.1.234.254
standby 2 preempt
standby 2 track 2

2. Track Interface Health

Tracking ensures that HSRP responds to interface failure. If GigabitEthernet1 or 2 goes down, HSRP adjusts router priority accordingly.

track 1 interface gigabitethernet 2 line-protocol
track 2 interface gigabitethernet 1 line-protocol

3. Configure ISAKMP and IPSec

This includes defining ISAKMP policies and IPSec parameters:

crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
crypto isakmp key cisco123 address 10.1.125.1

Create an access list to define interesting traffic:

access-list 120 permit ip 4.4.4.0 0.0.0.255 1.1.1.0 0.0.0.255

Define the transform set and crypto map:

crypto ipsec transform-set tset esp-3des esp-sha-hmac
crypto map CMAP 10 ipsec-isakmp
set transform-set tset
match address 120
reverse-route

Apply it with stateful failover enabled:

interface g1
crypto map CMAP redundancy VPN-HA stateful

On the Second VPN Router

The second router mirrors the HSRP config but with lower priority to serve as a backup:

interface g1
standby 1 ip 10.1.125.254
standby 1 preempt
standby 1 name VPN-HA
standby 1 priority 90
standby 1 track 1
interface g2
standby 2 ip 10.1.234.254
standby 2 preempt
standby 2 priority 90
standby 2 track 2

Interface tracking is identical:

track 1 interface gigabitethernet 2 line-protocol
track 2 interface gigabitethernet 1 line-protocol

The crypto configuration should match the first router exactly:

crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
crypto isakmp key cisco123 address 10.1.125.1

Followed by:

access-list 120 permit ip 4.4.4.0 0.0.0.255 1.1.1.0 0.0.0.255
crypto ipsec transform-set tset esp-3des esp-sha-hmac
crypto map CMAP 10 ipsec-isakmp
set transform-set tset
match address 120
reverse-route
interface g1
crypto map CMAP redundancy VPN-HA stateful

On the Peer Router (Remote Site)

The peer router configures crypto using the HSRP virtual IP (10.1.125.254) as its remote peer.

crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
crypto isakmp key cisco123 address 10.1.125.254
crypto ipsec transform-set tset esp-3des esp-sha-hmac
access-list 120 permit ip 1.1.1.0 0.0.0.255 4.4.4.0 0.0.0.255
crypto map CMAP 10 ipsec-isakmp
set transform-set tset
set peer 10.1.125.254
interface g1
crypto map CMAP

Summary

By pairing HSRP with stateful crypto map redundancy, Cisco routers can maintain VPN uptime even in the event of router failure. This configuration ensures that the crypto sessions, SAs, and tunnel state are preserved, enabling an instant switchover without re-establishing the tunnel.

This type of setup is especially valuable in data centers, remote branches, or any location where VPN availability is mission-critical.