Multiple Peer on Single crypto configuration

Unanswered Question
Jul 9th, 2009

I have Cisco Pix 515E ver 7.2, below is the configuration i have set to acheive vpn failover even if one ISP fails, but this doesn't work. All it works only if i put in bi-directional irrespective of any 1 IP I have in that. Any suggestion?

crypto map pix-to-pix 36 match address Anand

crypto map pix-to-pix 36 set connection-type originate-only

crypto map pix-to-pix 36 set peer 1.1.1.1 2.2.2.2

crypto map pix-to-pix 36 set transform-set ESP-3DES-MD5

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key 123456

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

pre-shared-key 123456

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Tue, 07/21/2009 - 07:46

How are you defining this "VPN Failover"? which has the dual ISP? if the remote end is the one that will have 2 possible ip addresses then this configuration is needed. Can you be a bit more specific?

Anand Narayana Tue, 07/21/2009 - 08:21

crypto map pix-to-pix 36 set connection-type originate-only

with this configuration the tunnel goes down when 2 ip's are added.

Ivan Martinon Tue, 07/21/2009 - 08:23

The remote end has to have answer only for the tunnel to be started, and you need to have public ip address to public ip address traffic definition if the remote end is not an ASA, if it was an ASA as long as you have originate only on one side and answer only on the other end the Public to public ASA is automatically created.

Anand Narayana Tue, 07/21/2009 - 08:29

The remote end is Fortinet firewall device. How will I define "public ip address to public ip address traffic definition". I am not clear with this :-(

Ivan Martinon Tue, 07/21/2009 - 08:31

So say for instance, if your ASA has ip address 4.4.4.4 and your Fortinet has 3.3.3.3 and 2.2.2.2 your crypto access list on your ASA would like like this:

access-list crypto permit ip host 4.4.4.4 host 3.3.3.3

access-list crypto permit ip host 4.4.4.4 host 2.2.2.2

access-list crypto permit ip local network remote network

And the fortinet should emulate this.

I did something similar to this where the remote end was an ASA 5505. The 5505 has the dual-isp option with the sla monitoring. On the home end, I had to set it to originate only. Additionally, I had to create a "ping script" that would create interesting traffic to automatically rebuild the tunnel (interesting traffic).

Actions

This Discussion