[c-nsp] IPSec VPN betwen PIX and two routers

Primoz Jeroncic jp at softnet.si
Tue Oct 4 05:30:05 EDT 2005 

Hi everyone... again :)

Lately I have bunch of questions but hopefully I'm done with
bugging after this one :)
I have one client with PIX firewall on central location and two
Cisco routers (c1712) on remote location (same location). Currently
IPSec VPN is established only between PIX and first c1712, and behind
this they have c2600 (on central location) and c1720 (on remote location).
BGP is running c2600 and c1720, so in case of VPN downtime they are
routing this traffic over ISDN links. All this is working fine.
Now they would add second c1712 to remote location and connect it over
different link (it can also be different ISP), so in case if primary link
would go down, they would have VPN over second link, and only if this
second link would be down too traffic would be routed over ISDN. No problem
to do this with BGP. But problem is, that no matter what timeout I set
current VPN on PIX doesn't go down for way to long time. After I do
"clear crypto isakmp sa" on PIX, VPN connection to second peer is
established without problems and everything is working fine. Same procedure
is needed when primary link comes up. And this is something what I want
to avoid. I need some info how to force VPN connection to die faster on
PIX if primary peer is not reachable anymore, so VPN to secondary peer
can get established.

Current config for VPN peer on PIX is:
crypto map m1 20 ipsec-isakmp
crypto map m1 20 set peer x.x.x.x ! ip address of c1712 on primary link
crypto map m1 20 set peer y.y.y.y ! ip address of c1712 on secondary link
...
isakmp keepalive 10
...
isakmp policy 1 lifetime 120
...

Basically I would like to set PIX so that VPN session would expire
as soon as possible after primary peer would be down, so it could
establish session to secondary peer. I know short keepalives and/or
lifetimes mean more useless traffic, but in this case it's not a problem.

Is there any possibility to do this, because this current one doesn't
expire not in 10sec and not in 120sec either. And not in 2 or 3 times
above value either.

Thanks for all your help.

Have fun,
Primoz Jeroncic
Support - IP Connectivity & Routing
-------------------------------------------------------------------
Softnet d.o.o.  tel:  +386 1 562 31 40   |
Borovec 2       fax:  +386 1 562 18 55   |       1 + 1 = 3
1236 Trzin      primoz(at)softnet.si     | for larger values of 1
Slovenija       http://flea.softnet.si/
-------------------------------------------------------------------

More information about the cisco-nsp mailing list