Cisco Systems ISA550

VPN

Configuring a Site-to-Site VPN

Cisco ISA500 Series Integrated Security Appliances Administration Guide 348

•SA-Lifetime: Enter the lifetime of the IPsec Security Association (SA). The

IPsec SA lifetime represents the interval after which the IPsec SA becomes

invalid. The IPsec SA is renegotiated after this interval. The default value is 1

hour.

STEP 5 In the VPN Failover tab, enter the following information:

•WAN Fai lover E nable : Click On to enable WAN Failover for site-to-site VPN,

or click Off to disable it. If you enable WAN Failover, the b ackup WAN port

ensures that VPN traffic rolls over to the backup link whenever the primary

link fails. The security appliance will automatically update the local WAN

gateway for the VPN tunnel based on the configurations of the backup WAN

link. For this purpose, Dynamic DNS has to be configured because the IP

address will change due to failover, or let the remote gateway use dynamic

IP address.

NOTE: To enable WAN Failover for site-to-site VPN, make sure that the

secondary WAN port was configured and the WAN redundancy was set as

the Failover or Load Balancing mode.

•Redundant Gateway: Click On to enable Redundant Gateway, or click Off to

disable it. If you enable Redundant Gateway, when the connection of the

remote gateway fails, the backup connection automatically becomes active.

A backup policy comes into effect only if the primary policy fails.

-Select Backup Policy: Choose a policy to act as a backup of this policy.

-Fallback Time to switch from back-up to primary: Enter the number of

seconds that must pass to confirm that the primary tunnel has recovered

from a failure. If the primary tunnel is up for the specified time, the

security appliance will switch to the primary tunnel by disabling the

backup tunnel. Enter a value in the range 3 to 59 seconds. The default

value is 5 seconds.

NOTE: DPD should be enabled if you want to use the Redundant

Gateway feature for IPsec VPN connection.

STEP 6 Click OK to save your settings.

STEP 7 When both the Site-to-Site VPN feature and the IPsec VPN policy are enabled, a

warning message appears saying “Do you want to make this connection active

when the settings are saved?”

• If you want to immediately activate the connection after the settings are

saved, click the Activate Connection button. After you save your settings,

the security appliance will immediately try to initiate the VPN connection.

You can check the Status column to view its connection status.