VPN failover for cisco 800 and 1800 series routers?

Answered Question
Nov 4th, 2007
User Badges:

Hi, I'm just wondering if this is possible or what other choices I have.


I have many 800 and 1800 series routers in small offices that are in VPN mode that connect to a Cisco concentrator.


We have a Cisco Pix firewall (soon to upgrade to a ASA 5520 hopefully) and I was wondering if the Cisco Concentrator failed could I configure the routers to point to our Cisco pix if I configured the Pix with site-to-site VPN's?


Thanks

Correct Answer by Richard Burts about 9 years 6 months ago

Andy


More like this:

crypto isakmp key mypassword address 1.2.3.4

crypto isakmp key mypassword address 1.2.3.5

crypto map My_Crypto_Map 10 ipsec-isakmp

set peer 1.2.3.4

set peer 1.2.3.5


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Richard Burts Sun, 11/04/2007 - 03:42
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


It should be possible to have the remote sites configure their VPN to specify 2 peers, first the concentrator and then the ASA. In this configuration the remote would attempt to establish a VPN session with the concentrator and if that failed it would establish a VPN session with the ASA.


HTH


Rick

whiteford Sun, 11/04/2007 - 05:01
User Badges:

Hi Rick, thanks great! Below I have part of a config, is this the peer part? Also do I just add the 2nd peer after for it to go in order of which peer to use first?


Just need an example to picture what you are saying :)


!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key mypassword address 1.2.3.4

!

!

crypto ipsec transform-set My_T_Set esp-3des esp-md5-hmac

!

crypto map My_Crypto_Map 10 ipsec-isakmp

set peer 1.2.3.4

set transform-set My_T_Set

match address 101

!

ip cef

!

!

royalblues Sun, 11/04/2007 - 07:54
User Badges:
  • Green, 3000 points or more

You can configure IPSEC prefered peer as the concentrator and the pix as the backup peer along wwith DPD (dead pair detection)


Have a look at these links

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_14/gt_ipspp.htm


http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00806c2875.html


But in all these cases the VPN to the pix will come up when the primary fails but the tunnel would not establish back to the Concentrator once it comes up. You need to manually clear the crypto SA to achieve this


HTH

Narayan

Richard Burts Sun, 11/04/2007 - 08:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


Yes. The peer is referenced in 2 places (and you got both of them): the peer is referenced in defining the preshared key and the peer is referenced in the crypto map set peer statement. Just add the address of the ASA and it should be fine.


HTH


Rick

whiteford Sun, 11/04/2007 - 08:35
User Badges:

Thanks, would it be something like this?


!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key mypassword address 1.2.3.4 1.2.3.5

!

!

crypto ipsec transform-set My_T_Set esp-3des esp-md5-hmac

!

crypto map My_Crypto_Map 10 ipsec-isakmp

set peer 1.2.3.4 1.2.3.5

set transform-set My_T_Set

match address 101

!

ip cef

!

!


Correct Answer
Richard Burts Sun, 11/04/2007 - 20:14
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


More like this:

crypto isakmp key mypassword address 1.2.3.4

crypto isakmp key mypassword address 1.2.3.5

crypto map My_Crypto_Map 10 ipsec-isakmp

set peer 1.2.3.4

set peer 1.2.3.5


HTH


Rick

Actions

This Discussion