Site to Site (L2L) VPN with DR Backup Site Sample Config

Unanswered Question
Nov 26th, 2007
User Badges:

Hi, I have a Hub-Spoke configuration of VPN Tunnels from Remote Branches connecting to the central site. The tunnels terminate on PIX firewalls with version 6.3 software. This setup works fine.


Now, we have a new DR site which has a PIX 525 with version 7 software. I would like to create VPN Tunnels between the remote sites and the DR site.


Does anybody have sample configs with this scenario?


Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lcm100553 Wed, 11/28/2007 - 23:41
User Badges:

Attached is a sketch of the setup I have. In this diagram, the remote branch is connected to the main branch on a vpn tunnel. This works fine.


The second tunnel to the DR site is configured but does not work. Is it possible to have Version 6.3 software on one end and version 7.x at the other end?



Attachment: 
kevin.jones1 Thu, 11/29/2007 - 07:16
User Badges:

What are you trying to achieve here? Are you

trying to do a automatically failover if the

VPN tunnel between the remote branch and the

Main FW goes down and the vpn tunnel between

remote branch and DR FW will goes active?


If that's the case, it can NOT be done with

Cisco Pix. Pix is a piece of junk. You would

need Cisco IOS routers for that. With IOS

routers, it can be easily done.


By the way, do you work for AMEX? do you know

Alban Dani?

lcm100553 Fri, 11/30/2007 - 00:49
User Badges:

HI Kev,


What I'm trying to do is to have two tunnels from the branches. One to the main site and one to the DR site. If the branch lose connection to the main site for whatever reason, they should be able to re-route the applications to the DR Servers.


Sorry, I do not know Alban.

lcm100553 Sat, 12/08/2007 - 23:19
User Badges:

It took me a couple of weeks to figure this out, but it was a simple case of deprecated command.

I simply removed this line from the remote branch firewall configuration:


crypto map vpn 15 set pfs group2


The Version 7.2 software on the DR Site firewall does not need this parameter and the Phase 2 negotiation will fail if this parameter is kept.

Actions

This Discussion