05-05-2010 08:02 AM
Hello,
I'd like to configure a backup connection for our site-to-site VPN but everything I tried doesn't work so far.
Here is what I tried:
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address allow-vpn
crypto map outside_map 20 set peer IP_Primary
crypto map outside_map 20 set peer barnvpn1
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address IP_Primary netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address barnvpn1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
and
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address allow-vpn
crypto map outside_map 20 set peer IP_Primary
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address allow-vpn
crypto map outside_map 30 set peer barnvpn1
crypto map outside_map 30 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address IP_Primary netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address barnvpn1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
With the first one, it connect to IP_Primary but if I stop this connection, it doesn't fail back to barnvpn1 unless I reboot the PIX.
If I'm right, the 2nd one would be more to get 2 VPN connection at the same time but it doesn't work either.
The pix is on V6.3.5.
Thank you for the help!
05-05-2010 08:12 AM
Hi,
The configuration to have a backup VPN is the first one.
crypto map outside_map 20 set peer IP_Primary
crypto map outside_map 20 set peer barnvpn1
With the above configuration, it will attempt to connect to IP_Primary first and if it fails it will attempt to connect to barnvpn1
Both IPs belong to the same remote device?
Can you PING both IPs from the PIX?
Federico.
05-05-2010 08:23 AM
Hi,
No, one of them is a cisco concentrator, the 2nd one being an ASA. At some point the two IP addresses will point to the ASA though.
Yes I can ping them both from the PIX.
The config works pretty much as you said, it actually connects to barnvpn1 but only after a reboot where I would need it to be automatic.
Thanks,
Arnaud
05-05-2010 08:28 AM
Arnaud,
It should be automatic.
When the PIX cannot establish the tunnel to the first peer will attempt the second one.
How are you doing the test?
Because, if the PIX already established a tunnel with the first peer, it might not attempt to establish a tunnel to the second peer until the SAs are cleared.
Federico.
05-05-2010 08:30 AM
I deleted the config on the concentrator which
killed the VPN connection but nothing happend after that untill I rebooted the PIX.
Arnaud
05-05-2010 08:33 AM
Perhaps the PIX had already a VPN connection established to the Concentrator.
When you killed the config on the Concentrator, the tunnel will stay active on the PIX side (until it times out).
Try the following:
Have the concentrator offline.
Try to establish the tunnel from the PIX, it should try the concentrator and when not getting a response, should create a tunnel with the ASA.
You can use keepalives or DPD to allow the PIX to notice that the tunnel is down on the other side quick enough.
Federico.
05-05-2010 08:34 AM
I'll try that, thank you very much for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide