Dual IPSEC VPN tunnel on single remote peer

brianbono · ‎08-28-2007

is it possible to establish two IPSEC VPN tunnels to a single remote peer?

I currently have two ISP connections and i wanted to make two tunnels for failover but im not sure if there is an issue on the tunnel groups since i would end up having only on tunnel group for both the tunnel.

mattiaseriksson · ‎08-29-2007

How is your internet redundancy configured? Are you using PIX,ASA,IOS or what?

brianbono · ‎08-29-2007

Im currently using an ASA that is configured with a static route tracking feature.

brianbono · ‎08-29-2007

attached is a network topology for reference.

thanks

mattiaseriksson · ‎08-29-2007

If you have PIX/ASA/VPNC on both ends you can use the backup Lan-to-Lan feature.

The end that will connect to multiple ip-addresses should be configured as originate-only with the set connection-type command, and use the crypto map set peer command to order the priority of the peers.

The other end should be configured with the answer-only keyword.

The originate-only end attempts to negotiate with the first peer in the list. If that peer does not respond, the ASA works its way down the list until either a peer responds or there are no more peers in the list.

brianbono · ‎08-29-2007

I have a cisco asa on my end but on the remote end is a multitech firewall.

how do i go about this?

mattiaseriksson · ‎08-29-2007

In that case I am not sure. But if the other end permits multiple peer statements you can try to just configure your end as answer-only, or do nothing and see what happens. It mostly depends on how the multitech handles redundancy, the ASA side only has one address to connect to.

A router on each side eould provide much better redundancy by running DMVPN.