07-09-2009 04:54 AM
I have Cisco Pix 515E ver 7.2, below is the configuration i have set to acheive vpn failover even if one ISP fails, but this doesn't work. All it works only if i put in bi-directional irrespective of any 1 IP I have in that. Any suggestion?
crypto map pix-to-pix 36 match address Anand
crypto map pix-to-pix 36 set connection-type originate-only
crypto map pix-to-pix 36 set peer 1.1.1.1 2.2.2.2
crypto map pix-to-pix 36 set transform-set ESP-3DES-MD5
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key 123456
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key 123456
07-21-2009 07:46 AM
How are you defining this "VPN Failover"? which has the dual ISP? if the remote end is the one that will have 2 possible ip addresses then this configuration is needed. Can you be a bit more specific?
07-21-2009 08:13 AM
Dual ISP is on the remote end. On my end it is Cisco pix with one ISP.
07-21-2009 08:17 AM
Then this is the needed configuration.
07-21-2009 08:21 AM
crypto map pix-to-pix 36 set connection-type originate-only
with this configuration the tunnel goes down when 2 ip's are added.
07-21-2009 08:23 AM
The remote end has to have answer only for the tunnel to be started, and you need to have public ip address to public ip address traffic definition if the remote end is not an ASA, if it was an ASA as long as you have originate only on one side and answer only on the other end the Public to public ASA is automatically created.
07-21-2009 08:29 AM
The remote end is Fortinet firewall device. How will I define "public ip address to public ip address traffic definition". I am not clear with this :-(
07-21-2009 08:31 AM
So say for instance, if your ASA has ip address 4.4.4.4 and your Fortinet has 3.3.3.3 and 2.2.2.2 your crypto access list on your ASA would like like this:
access-list crypto permit ip host 4.4.4.4 host 3.3.3.3
access-list crypto permit ip host 4.4.4.4 host 2.2.2.2
access-list crypto permit ip local network remote network
And the fortinet should emulate this.
07-21-2009 08:35 AM
Thanks for the information. I will try this tomorrow when i am in office.
07-23-2009 07:06 AM
I did something similar to this where the remote end was an ASA 5505. The 5505 has the dual-isp option with the sla monitoring. On the home end, I had to set it to originate only. Additionally, I had to create a "ping script" that would create interesting traffic to automatically rebuild the tunnel (interesting traffic).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: