Router to router and pix redundant IPSEC VPN

Discussion in 'Cisco' started by rsurfer, Feb 5, 2006.

  1. rsurfer

    rsurfer Guest

    I have a home_office with multi-link internet circuits (2). I have a
    remote_office with one internal router and two pix firewalls with a dsl
    router in front of one and another broadband router in front of the
    other. I currently have an IPSEC tunnel working from the home_office
    to the DSL router and through the pix inside, works fine. I now have a
    redundant connection at the remote_office, a broadband router in front
    of and additional pix. the pix has a routable subnet sent to it and is
    able to be homed to it's outside interface. i want to set this up for
    redundancy, i have read that it's possible to have a VPN ipsec tunnel
    to two peers for redundancy. How?

    the home_office has two peers to choose from (dsl router) or (pix
    behind Broadband)both with the same matching ACL and transfrom-set and
    isakmp policy. are the two peers set in the same crypto map instance?
    are they in the same map but differnet instances? i can't seem to get
    it to work. anyone got an example. thanks!
    rsurfer, Feb 5, 2006
    1. Advertisements

  2. rsurfer

    rsurfer Guest

    follow up...
    I got this to work with two peers set in the first crypto map instance
    and then the last crypto map instance had a duplicate of the redundant
    peer. ie

    cry map my_vpn 10 ipsec-isakmp
    set peer
    set peer
    set transform-set my-vpn-ts
    match add 101
    cry map my_vpn 15 ipsec-isakmp
    set peer
    set transform-set my-vpn-ts2
    match add 102
    cry map my_vpn 20 ipsec-isakmp
    set peer
    set transform-set my-vpn-ts
    match add 101

    seems somewhat strange to me but it did work. any thoughts?
    rsurfer, Feb 6, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.