Multihomed IPSec tunneling on PIX 515

[allen4all]

Hi Everyone, My first message here.
I'm setting up a PIX with 3 eth ports. One on the inside network and two on the outside. The outside interfaces have IP addresses from two different ISPs.
I was able to successfully create an IP sec tunnel on one interface. Now I'm trying to setup a parallel tunnel to the same destination peer through the second interface but I'm having problems on the routing end.
Using access-lists, I'm deciding which interface the interesting traffic should go through. Initiating traffic from two proxy servers to go through these two links. But at any point depending on my routing statement, only one tunnel gets active. How can I go about doing this??
Thanks in Advance

 

[yizhar]

HI.

The pix supports only 1 default gateway.

I think that you should look for another solution, using additional routers if needed.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[allen4all]

Hi Yizhar, thanks for your input. I tried yet another thing.

I put up a static nat on the router translating an internal address to the destination address. If I could then use this address as my peer address on the IPSec tunnel, then I could use 2 internal addresses pointing to the same destination and create 2 peer to peer tunnels. To test this out, I used 1 internal address.

Pointing to this as my crypto map set peer address I started the debug session. Suddenly the whole thing started to work. After about 15 replies I got request timed outs. On the Debug screen, when I get the replies, I see that both the atts and sa are accepted. but soon the OAK_QM process starts again and I get disconnected.

It keeps saying "Phase 2 packet is a duplicate of a previous packet".

When ever I reboot the PIX, I get connected once.
Any ideas??
Thanks
Allen