cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1036
Views
0
Helpful
6
Replies

Backup connection for site-to-site VPN

nocrack21
Level 1
Level 1

Hello,

I'd like to configure a backup connection for our site-to-site VPN but everything I tried doesn't work so far.

Here is what I tried:

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto  map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match  address allow-vpn
crypto map outside_map 20 set peer IP_Primary
crypto map outside_map 20 set peer barnvpn1
crypto map outside_map 20  set transform-set ESP-3DES-MD5
crypto map outside_map interface  outside
isakmp enable outside
isakmp key ******** address  IP_Primary netmask 255.255.255.255 no-xauth  no-config-mode
isakmp key ******** address barnvpn1 netmask  255.255.255.255 no-xauth no-config-mode
isakmp policy 20  authentication pre-share
isakmp policy 20 encryption 3des
isakmp  policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

and

crypto  ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address allow-vpn
crypto map outside_map 20 set peer IP_Primary
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map  outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address allow-vpn
crypto map outside_map 30 set peer barnvpn1
crypto map outside_map 30 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address IP_Primary netmask 255.255.255.255 no-xauth  no-config-mode
isakmp key ******** address barnvpn1 netmask 255.255.255.255 no-xauth  no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

With the first one, it connect to IP_Primary but if I stop this connection, it doesn't fail back to barnvpn1 unless I reboot the PIX.

If I'm right, the 2nd one would be more to get 2 VPN connection at the same time but it doesn't work either.

The pix is on V6.3.5.

Thank you for the help!

6 Replies 6

Hi,

The configuration to have a backup VPN is the first one.

crypto map outside_map 20 set peer IP_Primary
crypto map outside_map 20 set peer barnvpn1

With the above configuration, it will attempt to connect to IP_Primary first and if it fails it will attempt to connect to barnvpn1

Both IPs belong to the same remote device?

Can you PING both IPs from the PIX?

Federico.

Hi,

No, one of them is a cisco concentrator, the 2nd one being an ASA. At some point the two IP addresses will point to the ASA though.

Yes I can ping them both from the PIX.

The config works pretty much as you said, it actually connects to barnvpn1 but only after a reboot where I would need it to be automatic.

Thanks,

Arnaud

Arnaud,

It should be automatic.

When the PIX cannot establish the tunnel to the first peer will attempt the second one.

How are you doing the test?

Because, if the PIX already established a tunnel with the first peer, it might not attempt to establish a tunnel to the second peer until the SAs are cleared.

Federico.

I deleted the config on the concentrator which

killed the VPN connection but nothing happend after that untill I rebooted the PIX.

Arnaud

Perhaps the PIX had already a VPN connection established to the Concentrator.

When you killed the config on the Concentrator, the tunnel will stay active on the PIX side (until it times out).

Try the following:

Have the concentrator offline.

Try to establish the tunnel from the PIX, it should try the concentrator and when not getting a response, should create a tunnel with the ASA.

You can use keepalives or DPD to allow the PIX to notice that the tunnel is down on the other side quick enough.

Federico.

I'll try that, thank you very much for your help!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: