We are thinking on how we can make our IPSEC tunnels failover automatically. We have a simple design where the IPSEC endpoint is terminated on a PIX/ASA firewall then the other end is our client. We want to have a mechanism that whenever our client peer goes down, the traffic will be rerouted to one of our centers which has the backup tunnel configuration. Usually we use static routes to force the traffic to be routed to the other center but we want to do it automatically. Do you have any idea how? Thanks.
I assume what you mean is if the vpn client is unable to reach the primary IPSec peer, which is PIX/ASA at the main site, you would like the vpn client to automatically try to connect to your other centre (assuming that VPN Client IPSec has been configured at your other centre).
If the above assumption is correct, on the vpn client, you can enable the backup server list, and you can add the other centre as the peer. However, you would need to make sure that the group name and pre-shared key is the same as the main site.
Oh thanks for the reply but I think I didn't make myself clear.
Our setup is that we access our clients' servers using point-to-point IPSEC tunnel. There are times that the ISP loses connectivity to the client's network for unknown reason. It could be a link failure or too much congestion. If that happens, our ASA/PIX firewall will lose connectivity to its peer. So what we do in our core switches is to point the traffic to another center/office using our internal links where the backup IPSEC tunnel configuration is configured. The backup ISP is a different provider so there is a chance that the peer can be accessible from the other one. The backup tunnel is also being used whenver our primary internet is down.
You can configure 2 "set peer" statements on the same crypto map to that client, and it will connect to the first peer on the list, and if the first peer is not accessible, it will automatically try to connect to the second peer configured.
crypto map mymap 10 match address
crypto map mymap 10 set peer
crypto map mymap 10 transform-set
Also need to remember to configure pre-shared-key for the second peer.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...