Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
258
Views
0
Helpful
1
Replies

Configuring site-to-site VPN with load balancers.

desmond.liew
Level 1
Level 1

‎02-14-2008 12:30 AM - edited ‎02-21-2020 03:33 PM

I am configuring two Cisco ASA for site to site VPN using two load balancers. The load balancers will perform a failover should one of the line fails. Say for example, in normal conditions, the VPN tunnel will be created along the 'red' line (see picture) to the remote host. If one site's Internet line fails (say Site A's red link), the tunnel from Site A should go by the blue link to Site B's red link (if Site B's Internet line is perfectly fine).

For both remote sites, I want to connect each peer by using hostname (e.g. vpn.sitea.com). Also, for both sites, I am not sure how to add security associations so that each firewall can accept the different IP address of each other's multiple links.

Below, I have created a script for site-to-site VPN.

On SITE A

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

crypto isakmp enable outside

crypto isakmp identity hostname

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer vpn.siteb.com

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

exit

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

tunnel-group vpn.siteb.com type ipsec-l2l

tunnel-group vpn.siteb.com ipsec-attributes

pre-shared-key qwertyuiop

exit

On SITE B

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

crypto isakmp enable outside

crypto isakmp identity hostname

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer vpn.sitea.com

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

exit

access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

tunnel-group vpn.sitea.com type ipsec-l2l

tunnel-group vpn.sitea.com ipsec-attributes

pre-shared-key qwertyuiop

exit

I appreciate any comments and recommendations.

Labels:
Preview file
59 KB
0 Helpful
1 Reply 1
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents