multple ipsec tunnels on PIX 515

peter.williams · ‎04-04-2007

We have a PIX 515 with 5 interfaces in it, I have 2 different ISPs connect to 2 different interfaces on the PIX. I want to create 2 different ipsec tunnels from our office on Toronto. Toronto have 2 different ISPs int there router. How can I create 2 different ipsec tunnels on to different interfaces on a PIX 515?

Jon Marshall · ‎04-06-2007

Hi

I haven't done this exact configuration but as the crypto map is applied to the interface then i can't see why you cannot create 2 separate crypto maps and apply to the different interfaces.

HTH

Jon

peter.williams · ‎04-09-2007

Can I create 2 VPN tunnels coming from the same network on 2 different ISPs?

Amit Singh2000 · ‎04-09-2007

hi,

yes u can . as far as the other end is trying to connect to two different ip's on the pix. which r assigned from ISP's.

regards

Jon Marshall · ‎04-09-2007

Hi

Well as previous poster said yes you can create 2 VPN tunnels as the peer endpoints will be different. But if the remote and local subnets are the same how will the Toronto office know which VPN tunnel to use. It will probably use the first oen configured in your crypto map and the second one will be left unused.

If your remote and local networks are different for each VPN tunnel there wouldn't be an issue.

Are you trying to achieve redundancy or load balancing. If you are trying to achieve redundancy you could just set both ISP addresses on the pix under your router config

set peer "ISP1 address of pix"

set peer "ISP2 address of pix"

HTH

Jon

peter.williams · ‎04-10-2007

Hi,

I have it configured like this - is this wrong for redundancy?

crypto map BACKUP_VPN_TUNNEL 20 ipsec-isakmp

set peer "ISP2 address of pix"

set transform-set MONTREAL_BACKUP

match address MONTREAL_BACKUP_TUNNEL

!

crypto map PRIMARY_VPN_TUNNEL 10 ipsec-isakmp

set peer "ISP1 address of pix"

set transform-set MONTREAL_PRIMARY

match address MONTREAL_PRIMARY_TUNNEL

Pete