cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
688
Views
0
Helpful
6
Replies

VPN failover for cisco 800 and 1800 series routers?

whiteford
Level 1
Level 1

Hi, I'm just wondering if this is possible or what other choices I have.

I have many 800 and 1800 series routers in small offices that are in VPN mode that connect to a Cisco concentrator.

We have a Cisco Pix firewall (soon to upgrade to a ASA 5520 hopefully) and I was wondering if the Cisco Concentrator failed could I configure the routers to point to our Cisco pix if I configured the Pix with site-to-site VPN's?

Thanks

1 Accepted Solution

Accepted Solutions

Andy

More like this:

crypto isakmp key mypassword address 1.2.3.4

crypto isakmp key mypassword address 1.2.3.5

crypto map My_Crypto_Map 10 ipsec-isakmp

set peer 1.2.3.4

set peer 1.2.3.5

HTH

Rick

HTH

Rick

View solution in original post

6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

Andy

It should be possible to have the remote sites configure their VPN to specify 2 peers, first the concentrator and then the ASA. In this configuration the remote would attempt to establish a VPN session with the concentrator and if that failed it would establish a VPN session with the ASA.

HTH

Rick

HTH

Rick

Hi Rick, thanks great! Below I have part of a config, is this the peer part? Also do I just add the 2nd peer after for it to go in order of which peer to use first?

Just need an example to picture what you are saying :)

!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key mypassword address 1.2.3.4

!

!

crypto ipsec transform-set My_T_Set esp-3des esp-md5-hmac

!

crypto map My_Crypto_Map 10 ipsec-isakmp

set peer 1.2.3.4

set transform-set My_T_Set

match address 101

!

ip cef

!

!

You can configure IPSEC prefered peer as the concentrator and the pix as the backup peer along wwith DPD (dead pair detection)

Have a look at these links

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_14/gt_ipspp.htm

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00806c2875.html

But in all these cases the VPN to the pix will come up when the primary fails but the tunnel would not establish back to the Concentrator once it comes up. You need to manually clear the crypto SA to achieve this

HTH

Narayan

Andy

Yes. The peer is referenced in 2 places (and you got both of them): the peer is referenced in defining the preshared key and the peer is referenced in the crypto map set peer statement. Just add the address of the ASA and it should be fine.

HTH

Rick

HTH

Rick

Thanks, would it be something like this?

!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key mypassword address 1.2.3.4 1.2.3.5

!

!

crypto ipsec transform-set My_T_Set esp-3des esp-md5-hmac

!

crypto map My_Crypto_Map 10 ipsec-isakmp

set peer 1.2.3.4 1.2.3.5

set transform-set My_T_Set

match address 101

!

ip cef

!

!

Andy

More like this:

crypto isakmp key mypassword address 1.2.3.4

crypto isakmp key mypassword address 1.2.3.5

crypto map My_Crypto_Map 10 ipsec-isakmp

set peer 1.2.3.4

set peer 1.2.3.5

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco