02-14-2008 12:30 AM - edited 02-21-2020 03:33 PM
I am configuring two Cisco ASA for site to site VPN using two load balancers. The load balancers will perform a failover should one of the line fails. Say for example, in normal conditions, the VPN tunnel will be created along the 'red' line (see picture) to the remote host. If one site's Internet line fails (say Site A's red link), the tunnel from Site A should go by the blue link to Site B's red link (if Site B's Internet line is perfectly fine).
For both remote sites, I want to connect each peer by using hostname (e.g. vpn.sitea.com). Also, for both sites, I am not sure how to add security associations so that each firewall can accept the different IP address of each other's multiple links.
Below, I have created a script for site-to-site VPN.
On SITE A
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
crypto isakmp enable outside
crypto isakmp identity hostname
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer vpn.siteb.com
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
exit
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
tunnel-group vpn.siteb.com type ipsec-l2l
tunnel-group vpn.siteb.com ipsec-attributes
pre-shared-key qwertyuiop
exit
On SITE B
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
crypto isakmp enable outside
crypto isakmp identity hostname
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer vpn.sitea.com
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
exit
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
tunnel-group vpn.sitea.com type ipsec-l2l
tunnel-group vpn.sitea.com ipsec-attributes
pre-shared-key qwertyuiop
exit
I appreciate any comments and recommendations.
02-14-2008 08:14 AM
There's a good book on designing redundant VPNs,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: