I would like to setup some backup tunnels for multi-homed IOS routers that have IPSec connections to my PIX. The PIX has only one IP but the routers have alternate IPs and links that can be used when the primary link goes down. I am not sure how to do the crypto map setup on the PIX. Should I use to diferrent sequence numbers like this:
crypto map vpnmap 20 ipsec-isakmp
crypto map vpnmap 20 match address 101
crypto map vpnmap 20 set peer 1.1.1.1 *primary IP*
crypto map vpnmap 20 set transform-set vpnset
crypto map vpnmap 30 ipsec-isakmp
crypto map vpnmap 30 match address 101
crypto map vpnmap 30 set peer 2.2.2.2 *backup IP*
crypto map vpnmap 30 set transform-set vpnset
Or should I use one sequence with two peer commands like this:
crypto map vpnmap 20 ipsec-isakmp
crypto map vpnmap 20 match address 101
crypto map vpnmap 20 set peer 1.1.1.1
crypto map vpnmap 20 set peer 2.2.2.2
crypto map vpnmap 20 set transform-set vpnset
What are the differences and/or pros and cons between these two approaches?
Thanks,
Diego