cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
362
Views
0
Helpful
1
Replies

Backup VPN Tunnel

ricey
Level 1
Level 1

I have a Cisco Pix to Checkpoint VPN tunnel to connect a remote office. This works fine however as part of a DR project another Pix firewall will be installed in a remote office. My question is, is it possible for the first pix to have 2 vpn tunnels using the same info (access-lists etc) to different temination points with one acting purely as a backup. So if the checkpoint goes down the pix will automatically be able to tunnel data to the new remote pix???

1 Reply 1

sergej.gurenko
Level 1
Level 1

Crypto maps allow adding more then one peer. As I remember they try to connect to them in descending order, until first successful connect. If peer fails after successful connection next peer in list will be tried. Sample:

crypto map test-it 10 ipsec-isakmp

! Incomplete

set peer 1.1.1.1

set peer 2.2.2.2

match address 111

You can also add 2 different crypto maps, so two tunnels will be active at the same time.

Other problem is that ether CheckPoint FW, ether PIX have very limited routing functions. It will be problem for central office to detect where the active tunnel currently terminated, to the pix or to the FW-1. A central office router fails to pass return traffic to the correct VPN box.

My advice is - if you want redundancy use pure one vendor solution:

Ether CheckPoint FW HA cluster (on SecurePlatform + free ISP redundancy feature) in the central office and Safe@Edge boxes in the branches

Ether IOS router EazyVPN server in the center (or even Router Cluster) and PIX firewalls or IOS routers in the branches.

Any Future questions?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: