Cisco Support Community
Community Member

VPN redundancy

My question to the forum is what type of options do I have for backing up my existing IPSEC tunnel devices? For example I have a bunch of PIX 506 firewalls connected via DSL to the Internet. The Hub Site is a Cisco PIX 515 firewall with T1 access. We all know how reliable DSL companies are so I want to back up the DSL with a 1720 dialing up to a local ISP. My question is how will this work in an IPSEC private IP to private IP LAN-to-LAN tunnel scenario? How will the PIX know how to encrypt packets to the remote network through a new tunnel end point destination?

And suggestions would be appreciated.


Michael T. Fistler

Cisco CCIE #4503

Sr. Systems Engineer, Networking Concepts, Inc.

Community Member

Re: VPN redundancy

Not knowing your configuration and where the router sites in the equation, I've decided to give you a design that works.


| |


Anyone one of the following will work:

1. The VPNs are between the remote site PIX506s and PIX515, and the routers just provide resilient network connectivity using ISDN backup. This reduce the complexity of the IPSec portion, and provide resilience via standard network means.

2. The site to site VPNs are between the remote site Routers and the Hub PIX515, with the PIX knowing each route by its DSL interface IP and the ISDN interface IP. This begins to complicate the IPSec setup.

3. The VPNs are constructed between the routers instead of the PIXs.

I've assumed that you have total control of PIX + Router for each site and that the router provide xDSL and ISDN connectivity. If your ISP supplies provide xDSL connectivity for you, another router with dual Ethernet and 1 ISDN would be ideal i.e.


| |


I guess what I'm saying is keep the security bits simple, and use the network to provide resilience ;)

Hope this helps

CreatePlease to create content