Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
866
Views
4
Helpful
7
Replies

Multiple peers with the same crypto ACL

cco
Level 1
Level 1

‎12-11-2007 12:45 AM - edited ‎02-20-2020 09:39 PM

Hi,

Let's suppose that we have the following crypto map policy on a PIX firewall:

crypto map VPN-CRYPTO-MAP 10 match address L2L-TUNNEL-01

crypto map VPN-CRYPTO-MAP 10 set peer 1.1.1.1

crypto map VPN-CRYPTO-MAP 10 set transform-set ESP-3DES-MD5

crypto map VPN-CRYPTO-MAP 20 match address L2L-TUNNEL-01

crypto map VPN-CRYPTO-MAP 20 set peer 2.2.2.2

crypto map VPN-CRYPTO-MAP 20 set transform-set ESP-3DES-MD5

Please note that the ACL to be matched for both peers is the same. My question is: In case peer 1.1.1.1 fails, is the IPSEC tunnel going to be established with peer 2.2.2.2 instead for the same traffic?

Thanks in advance.

Labels:
0 Helpful
7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

‎12-11-2007 01:02 AM

Hi

The simple anwser is i'm not sure without testing however could i ask what you are trying to achieve. If it is redundancy you can have multiple "set peer" statements under the same crypto map entry and it will try them in order.

Apologies if you already knew this.

Jon

cco
Level 1
Level 1
In response to Jon Marshall

‎12-11-2007 01:07 AM

Hi Jon,

Yes correct, I need peer 2.2.2.2 to act as backup only and being used in case 1.1.1.1 stops responding.

So you're saying that configuring the crypto-map as listed below will achieve that?

crypto map VPN-CRYPTO-MAP 10 match address L2L-TUNNEL-01

crypto map VPN-CRYPTO-MAP 10 set peer 1.1.1.1

crypto map VPN-CRYPTO-MAP 10 set peer 2.2.2.2

crypto map VPN-CRYPTO-MAP 10 set transform-set ESP-3DES-MD5

Thanks.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to cco

‎12-11-2007 01:20 AM

Hi

Yes that should do it.

Jon

0 Helpful

cco
Level 1
Level 1
In response to Jon Marshall

‎12-11-2007 01:27 AM

Thanks Jon, I have one more question please. What happens if peer 1.1.1.1 gets back up? Is IKE going to try to renegotiate with it automatically?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to cco

‎12-11-2007 01:31 AM

Ahh well, to be honest i can't say for sure. I assume it will keep using 2.2.2.2 until the tunnel is torn down and it then tries to start it up again but without testing i'm not sure.

If i get the chance i'll knock this up in our lab but it's going to be a busy week so there might be a delay.

Jon

0 Helpful

cco
Level 1
Level 1
In response to Jon Marshall

‎12-11-2007 01:38 AM

Well thanks Jon. If u get the chance to test it plz let me know :-)

Cheers

0 Helpful

hoomanp
Level 1
Level 1
In response to cco

‎12-19-2007 02:17 AM

Well it shoul dwork on 6.3. What is the solution for 7.2?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents