VPN failover for cisco 800 and 1800 series routers?

Answered Question
Nov 4th, 2007

Hi, I'm just wondering if this is possible or what other choices I have.

I have many 800 and 1800 series routers in small offices that are in VPN mode that connect to a Cisco concentrator.

We have a Cisco Pix firewall (soon to upgrade to a ASA 5520 hopefully) and I was wondering if the Cisco Concentrator failed could I configure the routers to point to our Cisco pix if I configured the Pix with site-to-site VPN's?

Thanks

I have this problem too.
0 votes
Correct Answer by Richard Burts about 9 years 2 months ago

Andy

More like this:

crypto isakmp key mypassword address 1.2.3.4

crypto isakmp key mypassword address 1.2.3.5

crypto map My_Crypto_Map 10 ipsec-isakmp

set peer 1.2.3.4

set peer 1.2.3.5

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Richard Burts Sun, 11/04/2007 - 03:42

Andy

It should be possible to have the remote sites configure their VPN to specify 2 peers, first the concentrator and then the ASA. In this configuration the remote would attempt to establish a VPN session with the concentrator and if that failed it would establish a VPN session with the ASA.

HTH

Rick

whiteford Sun, 11/04/2007 - 05:01

Hi Rick, thanks great! Below I have part of a config, is this the peer part? Also do I just add the 2nd peer after for it to go in order of which peer to use first?

Just need an example to picture what you are saying :)

!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key mypassword address 1.2.3.4

!

!

crypto ipsec transform-set My_T_Set esp-3des esp-md5-hmac

!

crypto map My_Crypto_Map 10 ipsec-isakmp

set peer 1.2.3.4

set transform-set My_T_Set

match address 101

!

ip cef

!

!

royalblues Sun, 11/04/2007 - 07:54

You can configure IPSEC prefered peer as the concentrator and the pix as the backup peer along wwith DPD (dead pair detection)

Have a look at these links

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_14/gt_ipspp.htm

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00806c2875.html

But in all these cases the VPN to the pix will come up when the primary fails but the tunnel would not establish back to the Concentrator once it comes up. You need to manually clear the crypto SA to achieve this

HTH

Narayan

Richard Burts Sun, 11/04/2007 - 08:01

Andy

Yes. The peer is referenced in 2 places (and you got both of them): the peer is referenced in defining the preshared key and the peer is referenced in the crypto map set peer statement. Just add the address of the ASA and it should be fine.

HTH

Rick

whiteford Sun, 11/04/2007 - 08:35

Thanks, would it be something like this?

!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key mypassword address 1.2.3.4 1.2.3.5

!

!

crypto ipsec transform-set My_T_Set esp-3des esp-md5-hmac

!

crypto map My_Crypto_Map 10 ipsec-isakmp

set peer 1.2.3.4 1.2.3.5

set transform-set My_T_Set

match address 101

!

ip cef

!

!

Correct Answer
Richard Burts Sun, 11/04/2007 - 20:14

Andy

More like this:

crypto isakmp key mypassword address 1.2.3.4

crypto isakmp key mypassword address 1.2.3.5

crypto map My_Crypto_Map 10 ipsec-isakmp

set peer 1.2.3.4

set peer 1.2.3.5

HTH

Rick

Actions

This Discussion