site to site IPsec VPN with redundancy link

Unanswered Question
Feb 25th, 2009
User Badges:

I have 2 site to setup IPSec VPN, both sites have 2 Internet connections.One site is ASA8.0, and the other is PIX7.2.

I want to setup 2 VPN tunnel to backup each other, the route part I think I can use oject tracking to do the redundacy, but on the VPN configuration, I am confusing about the following 2 different setup:



crypto map FWMAP 10 match address 101

crypto map FWMAP 10 set peer

#Secondary for backup

crypto map FWMAP 20 match address 101

crypto map FWMAP 20 set peer


crypto map xxxmap 10 ipsec-isakmp

crypto map xxxmap 10 match address A_2_B

#Primary peer

crypto map xxxmap 10 set peer !--ISP1

#Secondaru peer for backup

crypto map xxxmap 10 set peer !--ISP2

It seems bother configuration should work? What is the differnce between them?

Not quite how the multi set peer command work, and configuration guide didn't explain that too.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
auraza Thu, 02/26/2009 - 12:54
User Badges:
  • Cisco Employee,

#1 would not work as the ACLs are the same, and it will keep trying to bring that up, and will never hit sequence 20.

#2 may work, but it will be tricky with failover - it would be best to lab it up, and see if you have any problems with various failover scenarios. Make sure you have your keepalives (DPDs) set to delete as soon as a failure is detected.


This Discussion