Cisco Pix VPN Multiple peer statements...

tarseneault · ‎06-23-2011

I have a partner I'm configureing a VPN for. It's a simple shared PW VPN with one difference I've never dealt with before. He has a primary and secondary peer he needs me to use. I did some research and found that I can use the "set peer xx.xx.xx.xx default" to specify the primary peer and more than one "set peer yy.yy.yy.yy" commands to set secondary peers what I don't know is if the primary should fail the VPN will switch to one of the secondaries via the DPD and then the primary is fixed, how does the VPN fail back to it?

Thanks for you help

Tom

Todd Pula · ‎06-24-2011

Having the redundant peer configuration allows the PIX to communicate with a secondary peer if the primary is unreachable. There is no default mechanism to alert the PIX that the connectivity has been restored to the primary peer. Two potential options are to use GRE over IPSec and have both tunnels up at the same time. You can then use a routing protocol to influence traffic via one path or the other. Another option depending on the PIX code version is to configure IP SLA monitor and route tracking. For example, you could configure the PIX to ping the primary peer at a specified interval. You can then have a primary tracked route for a remote proxy along with a backup static route with higher administrative difference. As long as the primary peer is reachable, the tracked static route will direct egress traffic for the remote proxy towards the primary peer. If the primary peer goes unreachable, the tracked route will be removed from the routing table and the secondary route will take over directing egress traffic towards the secondary. You will want to make sure that DPD is correctly configured so that the stale SAs can be removed from the SADB. The doc below shows a sample SLA monitor and tracking config on a PIX running 7.2.

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Todd