Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Backup VPN Tunnel

I have a Cisco Pix to Checkpoint VPN tunnel to connect a remote office. This works fine however as part of a DR project another Pix firewall will be installed in a remote office. My question is, is it possible for the first pix to have 2 vpn tunnels using the same info (access-lists etc) to different temination points with one acting purely as a backup. So if the checkpoint goes down the pix will automatically be able to tunnel data to the new remote pix???

New Member

Re: Backup VPN Tunnel

Crypto maps allow adding more then one peer. As I remember they try to connect to them in descending order, until first successful connect. If peer fails after successful connection next peer in list will be tried. Sample:

crypto map test-it 10 ipsec-isakmp

! Incomplete

set peer

set peer

match address 111

You can also add 2 different crypto maps, so two tunnels will be active at the same time.

Other problem is that ether CheckPoint FW, ether PIX have very limited routing functions. It will be problem for central office to detect where the active tunnel currently terminated, to the pix or to the FW-1. A central office router fails to pass return traffic to the correct VPN box.

My advice is - if you want redundancy use pure one vendor solution:

Ether CheckPoint FW HA cluster (on SecurePlatform + free ISP redundancy feature) in the central office and Safe@Edge boxes in the branches

Ether IOS router EazyVPN server in the center (or even Router Cluster) and PIX firewalls or IOS routers in the branches.

Any Future questions?

CreatePlease login to create content