Dual IPSEC VPN tunnel on single remote peer

Unanswered Question
Aug 28th, 2007
User Badges:

is it possible to establish two IPSEC VPN tunnels to a single remote peer?

I currently have two ISP connections and i wanted to make two tunnels for failover but im not sure if there is an issue on the tunnel groups since i would end up having only on tunnel group for both the tunnel.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mattiaseriksson Wed, 08/29/2007 - 05:16
User Badges:
  • Bronze, 100 points or more

How is your internet redundancy configured? Are you using PIX,ASA,IOS or what?

brianbono Wed, 08/29/2007 - 06:30
User Badges:

Im currently using an ASA that is configured with a static route tracking feature.

mattiaseriksson Wed, 08/29/2007 - 07:40
User Badges:
  • Bronze, 100 points or more

If you have PIX/ASA/VPNC on both ends you can use the backup Lan-to-Lan feature.

The end that will connect to multiple ip-addresses should be configured as originate-only with the set connection-type command, and use the crypto map set peer command to order the priority of the peers.

The other end should be configured with the answer-only keyword.

The originate-only end attempts to negotiate with the first peer in the list. If that peer does not respond, the ASA works its way down the list until either a peer responds or there are no more peers in the list.

brianbono Wed, 08/29/2007 - 09:02
User Badges:

I have a cisco asa on my end but on the remote end is a multitech firewall.

how do i go about this?

mattiaseriksson Wed, 08/29/2007 - 09:43
User Badges:
  • Bronze, 100 points or more

In that case I am not sure. But if the other end permits multiple peer statements you can try to just configure your end as answer-only, or do nothing and see what happens. It mostly depends on how the multitech handles redundancy, the ASA side only has one address to connect to.

A router on each side eould provide much better redundancy by running DMVPN.


This Discussion