I have a Cisco Pix to Checkpoint VPN tunnel to connect a remote office. This works fine however as part of a DR project another Pix firewall will be installed in a remote office. My question is, is it possible for the first pix to have 2 vpn tunnels using the same info (access-lists etc) to different temination points with one acting purely as a backup. So if the checkpoint goes down the pix will automatically be able to tunnel data to the new remote pix???
Crypto maps allow adding more then one peer. As I remember they try to connect to them in descending order, until first successful connect. If peer fails after successful connection next peer in list will be tried. Sample:
crypto map test-it 10 ipsec-isakmp
set peer 126.96.36.199
set peer 188.8.131.52
match address 111
You can also add 2 different crypto maps, so two tunnels will be active at the same time.
Other problem is that ether CheckPoint FW, ether PIX have very limited routing functions. It will be problem for central office to detect where the active tunnel currently terminated, to the pix or to the FW-1. A central office router fails to pass return traffic to the correct VPN box.
My advice is - if you want redundancy use pure one vendor solution:
Ether CheckPoint FW HA cluster (on SecurePlatform + free ISP redundancy feature) in the central office and Safe@Edge boxes in the branches
Ether IOS router EazyVPN server in the center (or even Router Cluster) and PIX firewalls or IOS routers in the branches.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :