IPSEC Resiliance on PIX

dmurnin · ‎03-30-2001

Is their any way of getting an IPSEC tunnel on a pix to failover to an ISDN router? I have read about ways of getting IPSEC on a router to failover using EIGRP on GRE tunnels, is this sort of configuration viable when running over a PIX.

jcazila · ‎04-04-2001

Tried configuring multiple peers in the crypto map?. hope it helps.

alexnap (alexnapv@hotmail.com)

mak · ‎04-06-2001

Configuring an ISDN interface as a backup int to a

terrestrial lastmile, connecting to an ISP, will this work?

That means IPSec tunnel have to be re-established over ISDN till peer/s?

ed · ‎04-22-2001

Setup your Leased Line router and your ISDN router to use HSRP.

Use the standby address in HSRP as the PIX "route outside" next hop address.

In this way the Leased Line router assumes the HSRP standby address and forwards all data to the ISP when the Leased Line is up. When down, the ISDN router takes the HSRP standby address and brings up the call to the ISP immediatly.

PIX always sees one address for its route outside, the HSRP standby address.

This works great, I have it working on a site.

a-gabriel · ‎04-28-2001

First of all, the idea of having an ISDN dial backup will only work if your ISP has configured ISDN as the backup route for your IP block.

If you are using ISDN as a backup, while HSRP might work well, it might be much simpler to simply put in a BRI card into your router and configure the BRI as a backup interface to your serial leased line connection.

Basically, if the failover is to connect to your ISP, your ipsec should not have a problem as it will work so long as ip is working.

However, if the isdn routing you are talking about is a direct dial-up connection to a remote office to which you have a vpn running, this is very very difficult. Though setting up the dial backup at your end should be fairly straightforward, it wont work unless the other end realizes that you off the internet and stops routing packets to you through the internet. The hard part is to get this working.

jbhaynesjr · ‎05-16-2001

I have been working on this myself for the past several weeks. The PIX cannot terminate a GRE tunnel, however, if you have a router behind the PIX which has ISDN interfaces on it, establish a GRE tunnel between it and the remote router. Use a loopback address as the source and destination for the tunnel on each end. Advertise a second loopback address from each router through the tunnel using EIGRP. Apply the crypto map that you have on the external interface of the remote router to the tunnel interface on the remote router also. In the PIX, the only traffic you need to allow through the IPSEC VPN is the GRE between the two router loopback addresses (source and destination of the tunnel).

Now you can use the same technique as described in the configuration guides for DDR. In the remote and local routers, define static routes to the networks at the other end of the tunnel using the second loopback address as the destination. Then define a floating static route with a high distance (240) to the second loopback address using the remote end of an ISDN dialer interface as the destination address. As long as the loopback address is advertised by EIGRP, traffic will go through the GRE tunnel which is encapsulated in the IPSEC tunnel. If the IPSEC connection breaks, even if the interfaces do not go down, the EIGRP route will go away and the floating static route will take over. That will cause whichever router has traffic to send to dial the ISDN connection.

P.S. We had a lot of trouble with 12.0(7) code doing this. It appears to be working better with 12.1(5)