two sequence numbers or two set peers in crypto map?

tato386 · ‎10-14-2003

I would like to setup some backup tunnels for multi-homed IOS routers that have IPSec connections to my PIX. The PIX has only one IP but the routers have alternate IPs and links that can be used when the primary link goes down. I am not sure how to do the crypto map setup on the PIX. Should I use to diferrent sequence numbers like this:

crypto map vpnmap 20 ipsec-isakmp

crypto map vpnmap 20 match address 101

crypto map vpnmap 20 set peer 1.1.1.1 *primary IP*

crypto map vpnmap 20 set transform-set vpnset

crypto map vpnmap 30 ipsec-isakmp

crypto map vpnmap 30 match address 101

crypto map vpnmap 30 set peer 2.2.2.2 *backup IP*

crypto map vpnmap 30 set transform-set vpnset

Or should I use one sequence with two peer commands like this:

crypto map vpnmap 20 ipsec-isakmp

crypto map vpnmap 20 match address 101

crypto map vpnmap 20 set peer 1.1.1.1

crypto map vpnmap 20 set peer 2.2.2.2

crypto map vpnmap 20 set transform-set vpnset

What are the differences and/or pros and cons between these two approaches?

Thanks,

Diego

gfullage · ‎10-14-2003

You can't use the first config cause the instance 30 will never get used. Crypto maps are read from top down, so the PIX will see instance 20 first, check access-list 101 against the traffic that it's transmitting, it'll match and it'll encrypt the packet and send it to 1.1.1.1. If 1.1.1.1 is down the PIX won't go to instance 30, cause instance 20 will match before it and the PIX will just keep trying to build a tunnel to 1.1.1.1, it will NEVER try 2.2.2.2 with this config. This is NOT what you want.

If you truly want a backup peer then the second config is the way to do it, cause the PIX will match the traffic to ACL 101, it'll try 1.1.1.1 cause that's listed first, but if it can't build a tunnel to it it'll then try 2.2.2.2.