PIX501, switch to backup VPN

richmorrow624 · ‎12-06-2006

I have several remote sites with a lan to lan connection to VPN Concentrators at the main site.

The remote end is configured with PIX501's.

I have moved some of the remote sites to a different peer at the Main site(with a different IP address).

In the remote site I just created an additional policy to a differnt peer, gave it a higher priority and pointed it to the newly configured VPN concentrator.

The mian site required a route change to direct traffic to the remote site LAN.

The old config remains in the the PIX at the remote site (with a lower priority) and in the PIX at the main site.

I have two questions:

Is it possibe to set up a policy to direct the traffic to the remote site subnet from the main site if the link at the main site goes down?

If so, will the PIX 501 at the remote site dynamically send traffic to the lower priority policy if the higher one is unavailable?

cpembleton · ‎01-06-2007

From your post it appears you are confused on how the policies work. When you say policy are you refering to the ISKMP policy or Crypto Map.

The crypto map statements identify the traffic and what peer it needs to connect in order to reach the destination network. If the peer is no longer able to be reached it does not try another policy. You can add a second peer in the matching crypto map.

example:

crypto map mymap 10 set peer 192.168.1.100

crypto map mymap 10 set peer 192.168.1.101

If the active peer is no longer working it will move down the list until it finds a working peer which becomes the new active. If the first peer comes back online the tunnel won't change back unitl the SA times out or is no longer avalable.

Hope this helps.

Chad