cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
883
Views
0
Helpful
9
Replies

Multiple Peer on Single crypto configuration

Anand Narayana
Level 6
Level 6

I have Cisco Pix 515E ver 7.2, below is the configuration i have set to acheive vpn failover even if one ISP fails, but this doesn't work. All it works only if i put in bi-directional irrespective of any 1 IP I have in that. Any suggestion?

crypto map pix-to-pix 36 match address Anand

crypto map pix-to-pix 36 set connection-type originate-only

crypto map pix-to-pix 36 set peer 1.1.1.1 2.2.2.2

crypto map pix-to-pix 36 set transform-set ESP-3DES-MD5

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key 123456

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

pre-shared-key 123456

9 Replies 9

Ivan Martinon
Level 7
Level 7

How are you defining this "VPN Failover"? which has the dual ISP? if the remote end is the one that will have 2 possible ip addresses then this configuration is needed. Can you be a bit more specific?

Dual ISP is on the remote end. On my end it is Cisco pix with one ISP.

Then this is the needed configuration.

crypto map pix-to-pix 36 set connection-type originate-only

with this configuration the tunnel goes down when 2 ip's are added.

The remote end has to have answer only for the tunnel to be started, and you need to have public ip address to public ip address traffic definition if the remote end is not an ASA, if it was an ASA as long as you have originate only on one side and answer only on the other end the Public to public ASA is automatically created.

The remote end is Fortinet firewall device. How will I define "public ip address to public ip address traffic definition". I am not clear with this :-(

So say for instance, if your ASA has ip address 4.4.4.4 and your Fortinet has 3.3.3.3 and 2.2.2.2 your crypto access list on your ASA would like like this:

access-list crypto permit ip host 4.4.4.4 host 3.3.3.3

access-list crypto permit ip host 4.4.4.4 host 2.2.2.2

access-list crypto permit ip local network remote network

And the fortinet should emulate this.

Thanks for the information. I will try this tomorrow when i am in office.

I did something similar to this where the remote end was an ASA 5505. The 5505 has the dual-isp option with the sla monitoring. On the home end, I had to set it to originate only. Additionally, I had to create a "ping script" that would create interesting traffic to automatically rebuild the tunnel (interesting traffic).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: