Re: PIX-IPsec Site-Site VPN Tunnel Redundancy

rpsrekhi3 · ‎08-14-2006

Hi,

How do i enable Site-Site Tunnel redundancy on PIX,so that if one of the peer is not responding,the tunnel gets established with the second configured peer.

I read about configuring multiple peers with the crypto map command:

crypto map redundant 10 set peer 1.1.1.1

crypto map redundant 10 set peer 1.1.1.2

Will this work ?

If the first peer comes back online,will the VPN tunnel move over?

Whats the best way.

Iam running PIX version 6.3

Thanks!

cpembleton · ‎08-14-2006

multiple peers would be the way to go. You could also configure Deed Peer Detection (DPD) to speed up the failover.

isakmp keepalive 30 [interval] 5 [retry]

It does not have a failback feature.

You could shorten the lifetime so the tunnels don't last as long and start back at the top of the peer list.

rpsrekhi3 · ‎08-14-2006

Thanks ! this is what i was looking for.

I guess i need to:

1. Remove the crypto Map

2. Modify it

3. Reapply

in that order.But that would affect my other connections as well.Is there any safe way out?

Regards

RPS

cpembleton · ‎08-14-2006

You can add the changes without removing the crypto map. Then schedule to manually clear the tunnel off hours. When the tunnel rebuilds it will have the new setttings.

Clear tunnel:

conf t

clear crypto isa sa

clear crypto ips sa

Thanks,

Chad

Please rate posts if they help.