ASA and backup L2L VPN

Patrick Colbeck · ‎09-04-2007

I have two ASAs running 7.2.2 each is connected to the Internet via a router with links to two ISPs. Internet access is fine and using object tracking I can get teh routers to swap which ISP they send the traffic to if one ISP fails.

The problem is the L2L ISPEC tunnel between the ASAs. Since the routers do the NAT the outside IP address of the ASAs appears to change dependent on whic ISP is being used.

I have looked at using multiple peers in the crypto map at one end using "the originate" option and the "answer only" option at the other end but that doesnt look viable if both ends change their IP address.

Any ideas ?

aghaznavi · ‎09-10-2007

Split tunneling allows a remote-access IPSec client to conditionally direct packets over an IPSec tunnel in encrypted form, or to a network interface in clear text form. With split tunneling enabled, packets not bound for destinations on the other side of the IPSec tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination. This command applies this split tunneling policy to a specified network. The default is to tunnel all traffic. In order to set a split tunneling policy, issue the split-tunnel-policy command in the group-policy configuration mode. In order to remove the split-tunneling-policy from the configuration, issue the no form of this command

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml

Patrick Colbeck · ‎09-14-2007

Sorry but the question is nothing to do with split tunneling it sabout how to have a backup VPN peer.