IPSEC VPN Failover

Unanswered Question
Apr 17th, 2008
User Badges:

Need help to verify my design. I have 1 router1841 and pix515.2 isp link connect to router1841 and 1 isp link connect to pix515.My intention is to do redundancy ipsec vpn. will this design achivable? Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Todd Pula Tue, 03/01/2011 - 14:50
User Badges:
  • Silver, 250 points or more

You will want to employ some of the HA configuration found in the doc below to automate the failover process between the two ISP connections.  If configuring a static crypto map, you can configure one or more peer IPs for failover.  In this scenario, you will want to make sure that ISAKMP keepalives are correctly configured on both the 1841 and PIX so that the stale SAs can be timed out more quickly.


crypto map CMAP 10 ipsec-isakmp
set peer default
set peer
set transform-set TSET
match address INTERESTING


This Discussion