Cisco Support Community
Community Member

ISDN link as backup for VPN tunnels

Hi all,

My central site uses a PIX 515 to reach several remote LAN using PIX 501 or 515 with IPSEC tunnels.

I m wondering how I can provide a backup with ISDN since pix dont use routing entries (ACL selects traffic to encrypt) to reach the remote net !!!

So if each site uses a local router, how this router can see that tunnel is down on the PIX (due to an isp problem for example) and in this case deciding to contact the remote net by ISDN ? And how the central site will see it has to answer on the ISDN link and not on the VPN tunnel ?????

so the question is : If a tunnel is down, does the pix send an ICMP "destination unreachable" on the local lan if a host try to use this tunnel ?

I know the Concatrator can use RRI to populate a route if the tunnel is up, but i dont know if the pix is abble to use the same function !!!

Can I use RRI function if peers of a concentrator are some PIX ?

I dont know how two sites will backup on ISDN at the same time !!!

thanks for your help



Re: ISDN link as backup for VPN tunnels

The "standard" approach is to build GRE tunnels through the VPN tunnels and then use any routing protocol to drive dial on demand or dialer watch. But when using separate firewalls as you are, I prefer the Networking Unlimited approach of using BGP directly over the VPN tunnels and eliminating the GRE tunnel and its extra overhead. There are examples of the "standard" approach here on CCO while the latter is explained in one of the white papers on my web site (along with an example of an OSPF over GRE scenario). Good luck and have fun!

Vincent C Jones

CreatePlease to create content