Could anyone advise if the PIX will in future support the ability to configure multiple tunnels that will terminate on a number of PIXes that are all on the same remote LAN? In other words all the crypto access-lists will point to the same remote LAN address. The intention is to use another tunnel if for some reason the existing tunnel to a site goes down. The main objective would be redundancy and not load balancing.
You can already do this, assuming I understand you correctly. You cna define multiple peers under the one crypto map instance, if the first peer is unavailable the PIX will try the second peer and so on. For example:
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 100
crypto map transam 1 set peer 172.22.112.12
crypto map transam 1 set peer 172.22.144.14
crypto map transam 1 set transform-set espdes
The PIX will try building a tunnel to 172.22.112.12, if it gets no response it'll go to 172.22.144.14. Is that what you meant?
I have a similar requirement. I am using IOS based vpns, but that shouldn't matter. I have a hub-and-spoke setup of Frame now, with 8-10 sites coming back to headquarters. We want to implement VPNs with GRE and EIGRP in place of Frame. For cost savings and proof of concept, we want our remote sites to have dual (redundant) internet connections using cable modems or DSL rather than dedicated loop internet. I have setup the local HQ router with two peers, one ip from each ISP. I have simulated two ISP connections connected to a hub with an uplink to the external side of a 2621 with two IP addresses primary/secondary. I figured that I could assign IPs from both ISPs to the external interface and set two routes to my HQ peer with equal metrics to the default gateways of their respective ISPs. However, it only seems like the primary address is ever tried for the tunnel creation. Even if the link is down. How can I get it to fail over to the secondary ip and try to establish the tunnel, using the second route to the peer, when the first ISP link goes down?
Thanks for any help you can provide. If there is a better solution, please advise.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :