What is Cisco Defense Orchestrator ?

CDO is a cloud-based multi-device management portal. In my opinion, this is the best solution for service providers like cloud services and managed service providers. Simply you do not have to access each and every management portal. Simply using CDO, all the CISO security devices can be managed.

Features:

  • Fast platform migration
  • Fast deployment and device on-boarding
  • Pre-defined security templates
  • Simple upgrade process
  • Integration of 3rd party integrations

 

Supported Devices:

  • Adaptive Security Appliance (ASA)
  • Firepower Thread Defense (FTD)
  • Firepower Management Center (FMC)
  • Cisco IOS devices with Security Module
  • Meraki MX

support matrix: Data Sheet

Setting up multiple IPSEC VPN peers on Cisco IOS & IOS XE

When working with CISCO router based IPSEC VPN tunnels, we might need to enable HA feature for the continuous connectivity with the remote peer. By default, we use just a single peer IP address. But if the remote peer is dead for some reason, we face issues with IPSEC tunnel failure. In order to mitigate that risk, we can use the feature called “default peer” . What it does is, it enable us to define multiple redundant peers instead of a single peer.

The most preference is always given to the “default” peer. If the default peer IP address is unreachable for any reason, the next available peer will be elected as the tunnel peer. The peer status is detected by a feature called “Dead Peer Detection (DPD)”. So, lets jump into the config,

(NOTE: always verify whether these command-lets are supported by the router)

Configuring a Default Peer

enable
configure terminal
crypto map map-name seq-num ipsec-isakmp profile profile-name
set peer ip-address default
exit

Continue reading “Setting up multiple IPSEC VPN peers on Cisco IOS & IOS XE”

We have successfully setup the default peer and the alternative peer, so next step is to define a fail-over timer. In order to do that, we need to define the values in seconds.

set security-association idletime 120 default

So, a well defined configuration look like below

crypto map client-map 132 ipsec-isakmp
set peer 1.1.1.1 default
set peer 2.2.2.2
set security-association idletime 120 default