Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Multiple VPN tunnels to one LAN

Could anyone advise if the PIX will in future support the ability to configure multiple tunnels that will terminate on a number of PIXes that are all on the same remote LAN? In other words all the crypto access-lists will point to the same remote LAN address. The intention is to use another tunnel if for some reason the existing tunnel to a site goes down. The main objective would be redundancy and not load balancing.

Many thanks

Walter Rogowski.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Multiple VPN tunnels to one LAN

Oh, and this is purely for redundancy. The PIX will NOT load-balance over the two peers or anything like that, the 2nd peer will only ever be used if the 1st is unavailable.

4 REPLIES
Cisco Employee

Re: Multiple VPN tunnels to one LAN

You can already do this, assuming I understand you correctly. You cna define multiple peers under the one crypto map instance, if the first peer is unavailable the PIX will try the second peer and so on. For example:

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 100

crypto map transam 1 set peer 172.22.112.12

crypto map transam 1 set peer 172.22.144.14

crypto map transam 1 set transform-set espdes

The PIX will try building a tunnel to 172.22.112.12, if it gets no response it'll go to 172.22.144.14. Is that what you meant?

Cisco Employee

Re: Multiple VPN tunnels to one LAN

Oh, and this is purely for redundancy. The PIX will NOT load-balance over the two peers or anything like that, the 2nd peer will only ever be used if the 1st is unavailable.

New Member

Re: Multiple VPN tunnels to one LAN

thanks, that was the answer I was after.

New Member

Re: Multiple VPN tunnels to one LAN

Hi,

I have a similar requirement. I am using IOS based vpns, but that shouldn't matter. I have a hub-and-spoke setup of Frame now, with 8-10 sites coming back to headquarters. We want to implement VPNs with GRE and EIGRP in place of Frame. For cost savings and proof of concept, we want our remote sites to have dual (redundant) internet connections using cable modems or DSL rather than dedicated loop internet. I have setup the local HQ router with two peers, one ip from each ISP. I have simulated two ISP connections connected to a hub with an uplink to the external side of a 2621 with two IP addresses primary/secondary. I figured that I could assign IPs from both ISPs to the external interface and set two routes to my HQ peer with equal metrics to the default gateways of their respective ISPs. However, it only seems like the primary address is ever tried for the tunnel creation. Even if the link is down. How can I get it to fail over to the secondary ip and try to establish the tunnel, using the second route to the peer, when the first ISP link goes down?

Thanks for any help you can provide. If there is a better solution, please advise.

Billy Dedek

226
Views
0
Helpful
4
Replies
CreatePlease login to create content