Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Tunnel to VPN Concentrator 3000 with redundant connectivity from 2 IPs

I am using a IPSec LAN-to-LAN tunnel from a single source computer behind a Fortinet firewall to a single computer behind a VPN Concentrator 3000 (which is behind a PIX firewall).

The Fortinet device has 2 external IPs from which it can connect. The Concentrator/PIX has only 1 external IP to which connections can be made.

I want to be able alternatively establish the tunnel between the Fortinet and the Concentrator from either of the 2 external IPs on the Fortinet.

I know how to setup the Fortinet to allow this. However, I do not know what to do in the Concentrator to allow for potentially multiple incoming peer IP addresses. Can anyone help?

Is it possible to create a single IPSec LAN-to-LAN connection which has multiple peer IP addresses? Or, would I have to create two similar IPSec LAN-to-LAN connections, each with a different peer IP address?

Thanks for your consideration.


  • VPN

Re: Tunnel to VPN Concentrator 3000 with redundant connectivity

configuration > tunneling and security > ipsec > lan-to-lan.

when you configure a lan-lan, the 5th parameter is "peers". you can put both fortinet public ip there.

according to cisco:

In a backup LAN-to-LAN setup, the remote peer always initiates the connection. It tries to connect to the first VPN Concentrator on its peer list. If that VPN Concentrator is unavailable, then it tries to connect to the second peer on the list. It continues in this way until it connects to one of the peers on the list.

New Member

Re: Tunnel to VPN Concentrator 3000 with redundant connectivity

Thanks for your reply.

I guess one of the main issues for me is that I want the Fortigate firewall to be the one to initiate the connection from one of its public IPs to the Concentrator, not the other way around. The Concentrator only seems to allow multiple peers (as you describe above) when it is in Originate-Only mode, not Bi-Directional or Answer-Only.

Any further help would be appreciated.

Best regards,



Re: Tunnel to VPN Concentrator 3000 with redundant connectivity

in that case, ezvpn seems to be the way. however, i'm too sure whether fortigate can be configured as a vpn hareware client or not.

This widget could not be displayed.