Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dual IPSEC VPN tunnel on single remote peer

is it possible to establish two IPSEC VPN tunnels to a single remote peer?

I currently have two ISP connections and i wanted to make two tunnels for failover but im not sure if there is an issue on the tunnel groups since i would end up having only on tunnel group for both the tunnel.

6 REPLIES

Re: Dual IPSEC VPN tunnel on single remote peer

How is your internet redundancy configured? Are you using PIX,ASA,IOS or what?

New Member

Re: Dual IPSEC VPN tunnel on single remote peer

Im currently using an ASA that is configured with a static route tracking feature.

New Member

Re: Dual IPSEC VPN tunnel on single remote peer

attached is a network topology for reference.

thanks

Re: Dual IPSEC VPN tunnel on single remote peer

If you have PIX/ASA/VPNC on both ends you can use the backup Lan-to-Lan feature.

The end that will connect to multiple ip-addresses should be configured as originate-only with the set connection-type command, and use the crypto map set peer command to order the priority of the peers.

The other end should be configured with the answer-only keyword.

The originate-only end attempts to negotiate with the first peer in the list. If that peer does not respond, the ASA works its way down the list until either a peer responds or there are no more peers in the list.

New Member

Re: Dual IPSEC VPN tunnel on single remote peer

I have a cisco asa on my end but on the remote end is a multitech firewall.

how do i go about this?

Re: Dual IPSEC VPN tunnel on single remote peer

In that case I am not sure. But if the other end permits multiple peer statements you can try to just configure your end as answer-only, or do nothing and see what happens. It mostly depends on how the multitech handles redundancy, the ASA side only has one address to connect to.

A router on each side eould provide much better redundancy by running DMVPN.

969
Views
0
Helpful
6
Replies