We use a VPN Connection between two sites, A=10.1.x.x and B=10.2.x.x., using 2 Pix'es.
The VPN connection works perfectly, well it works perfectly 80% of the time.
Our different Serviceproviders have some time problems to deliver connection between our sites, and this makes the VPN connection break down some times.
And now we are searching for a BACKUP-Solution for the VPN connection.
We have desided to use ISDN.
By plasing a Router in front (LAN) of the Pix as the Default Gateway for the LAN, we have been thinking that it could use a Routing protocol to detect when the VPN fails, and use the ISDN as the "backup"-connection to the oter site.
It would then look something like this:
LANA - R - Pix ------ VPN ---- Pix - R - LANB
Primary connection from A to B is the VPN, and if no Routingupdates are recieved from Network B, the ISDN connection sould be used.
It must be possible (the word impossible does not exist), but does anyone have some suggestions?
I dont know if Pix can forward multicasts, and this could leave us with only a few oldfashion routing protocols?
The PIX wont pass multicast traffic but can broadcast itself as a default route via RIP v.2. Problem, the PIX wont know that the outside link went down. I wonder if you could setup a VPN tunnel from the outside router to the inside router to pass routing protocols through the PIX. Anybody tried this or have a good workaround?
We are doing the exact same thing. If you have your routers behind the PIX, you may establish a GRE (Generic Routing Encapsulation) tunnel between the two routers THROUGH the IPSec tunnel. GRE tunnels will forward broadcasts, multicasts, and encapsulate different types of traffic such as appletalk, netbios, or IPX. This tunnel is configured as a tunnel interface on the routers and is up when the tunnel is established and goes down when the tunnel looses connection. This allows any routing protocol to detect the outage of the interface which is the current route, and initiate the dial backup interface and switch routes.
Hope this helps.
I found this old(er) posting by doing a search on GRE. This sounds like the solution I am looking for, but all the config examples on Cisco's site for GRE require crypto-enabled routers, which I don't have.
My PIX firewalls have complex mesh 3DES vpn's, but I would like to utilize GRE tunneling, and a single IPSec tunnel between my VPN locations, and use my existing slow WAN links as backups. The VPN's would be primary, and EIGRP would allow routing updates to pass between the locations.
Does anyone have sample router to router config's for GRE without des enabled software going through a pix to pix vpn?