Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
548
Views
0
Helpful
5
Replies

Site to Site (L2L) VPN with DR Backup Site Sample Config

lcm100553
Level 1
Level 1

‎11-26-2007 04:40 AM - edited ‎02-21-2020 03:23 PM

Hi, I have a Hub-Spoke configuration of VPN Tunnels from Remote Branches connecting to the central site. The tunnels terminate on PIX firewalls with version 6.3 software. This setup works fine.

Now, we have a new DR site which has a PIX 525 with version 7 software. I would like to create VPN Tunnels between the remote sites and the DR site.

Does anybody have sample configs with this scenario?

Thanks in advance.

Labels:
0 Helpful
5 Replies 5

lcm100553
Level 1
Level 1

‎11-28-2007 11:41 PM

Attached is a sketch of the setup I have. In this diagram, the remote branch is connected to the main branch on a vpn tunnel. This works fine.

The second tunnel to the DR site is configured but does not work. Is it possible to have Version 6.3 software on one end and version 7.x at the other end?

Preview file
48 KB
0 Helpful

lcm100553
Level 1
Level 1
In response to lcm100553

‎11-28-2007 11:44 PM

Here are the firewall configuration relevant to the problem.

Preview file
2 KB
0 Helpful

kevin.jones1
Level 1
Level 1
In response to lcm100553

‎11-29-2007 07:16 AM

What are you trying to achieve here? Are you

trying to do a automatically failover if the

VPN tunnel between the remote branch and the

Main FW goes down and the vpn tunnel between

remote branch and DR FW will goes active?

If that's the case, it can NOT be done with

Cisco Pix. Pix is a piece of junk. You would

need Cisco IOS routers for that. With IOS

routers, it can be easily done.

By the way, do you work for AMEX? do you know

Alban Dani?

0 Helpful

lcm100553
Level 1
Level 1
In response to kevin.jones1

‎11-30-2007 12:49 AM

HI Kev,

What I'm trying to do is to have two tunnels from the branches. One to the main site and one to the DR site. If the branch lose connection to the main site for whatever reason, they should be able to re-route the applications to the DR Servers.

Sorry, I do not know Alban.

0 Helpful

lcm100553
Level 1
Level 1
In response to lcm100553

‎12-08-2007 11:19 PM

It took me a couple of weeks to figure this out, but it was a simple case of deprecated command.

I simply removed this line from the remote branch firewall configuration:

crypto map vpn 15 set pfs group2

The Version 7.2 software on the DR Site firewall does not need this parameter and the Phase 2 negotiation will fail if this parameter is kept.

0 Helpful
Customers Also Viewed These Support Documents