Backup PIX and VPN tunnel

stretchlad · ‎11-18-2006

We are installing a second PIX and a second Internet connection at our central site.

We want to configure our remotes sites (501/506's) to use the second PIX as a backup point for our site-to-site VPN's. So they will have multiple peers one for the main PIX and one for the backup PIX.

The problem is how do we tell our core router which PIX to use at the central site to contact the remote site. Can any of the routing protocols report if a tunnel is up and advertise the network that it can connect to? We dont have routers at the remote sites.

sbilgi · ‎11-24-2006

You need to add a second peer on the remote site so if the tunnel with the first peer on the list goes down, the tunnel would be negotiate it against the second IP address.On the main site, you will have to configure the same tunnel on two devices; lets say router (primary) and a Pix (backup). You will have to configure exactly the same tunnel but using routing we will be able to keep only the one going to the router, if the link goes down by any circumstances, a flowing static route would forward the traffic to the Pix so the tunnel can be negotiated.

Ip route [Remote Site?s Subnet] [ISP?s IP address]

Ip route [Remote Site?s Subnet] [Pix?s Internal IP address] 200

The metric 200 will make the route stay on standby state.