IPSec VPN redundancy through different ISPs

Unanswered Question
Feb 1st, 2008

We have IPSec VPN tunnels sourced on ASA appliances connected to Router R1 where the WAN link is terminated.

Here we are about to add another WAN link with a connection from different ISP. Our concern is how the tunnel will be rerouted through the other link with the same source IPs seeing that the backup ISPs wont allow the primary ISP's IP CIDR through their cloud? Basically the idea is to keep the design simple & hassle free.

The new setup will incorporate these changes. Pls note only one ASA appliance is in use.

ASA --> Router R1 with Primary link/ISP (public IPs of Primary ISP)

ASA --> Router R2 with Secondary Link/ISP(Public IPs of Secondary ISP)

How can the tunnels be sourced with the same IPs of primary ISP in case of a link failure? or alternatively what is the best solution?

Appreciating your patience.

Thanks & Regards to all.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Rick Morris Fri, 02/01/2008 - 13:21

Honestly the best way tohave this set up is to get your own IP space, ASN, and run BGP with the two peers. This way when you terminate the tunnel to the IP it will be routable through both links and you control the announcement not the peers. You can manually fail it over but it will require two tunnels and it can be an admin headache.

Actions

This Discussion