Redundant IPSEC VPN tunnels-router or PIX

stephen.simpson · ‎04-23-2007

I have a request to build two IPSEC VPN tunnels across two different ISPs on site A going to site B with one ISP and a Pix. Site A has a Pix, and a couple of 2691 routers. Which design would make better use of two ISP redundancy at Site A, two routers facing the Internet with one of the backend to make routing decisions? We don't have a router option at Site B. Any suggestions would be appreciated.

jwalker · ‎04-23-2007

I actually did a similar project recently that involved an ASA 5505 with a backup internet connection and a PIX 515 (main branch). The ASA has one crypto map config that is applied to both interfaces. The PIX has separate site-to-site connections to the ASAs interfaces that are set to originate only. You also have to enable (should be done already) keepalives on all peers.

Hope this helps...

stephen.simpson · ‎04-24-2007

Thanks for your reply. In the example that you gave, how were you able to dynamically reroute the traffic over the other VPN when one ISP went down? HSRP with tracking on the outside interfaces?

jwalker · ‎04-24-2007

I setup SLA tracking on the ASA 5505. It sends a ping to the default route of the primary circuit every few minutes. As long as it gets a response, it assumes the connection is active. If the reply isn't received in a certain amount of time, it fails to the DSL circuit. The only problem with this solution is you have to have the other side initiate the VPN, so you would have to have someone connect back to the branch location if there is a failover to rebuild the VPN over the backup connection. I have a ping script at my main branch that accomplishes this.....