VPN failover redundancy

ronshuster · ‎07-23-2008

I am looking to have a VPN tunnel redundancy between two sites, that is if one tunnel goes down, the traffic will be routed to a backup tunnel (different site).

So now we have a tunnel between site A & B, and if this tunnel was to fail, I would like the traffic to failover to a new tunnel between A & C.

Is that feasible?

I failed to find an example of this scenario on the Cisco site, any idea?

a.alekseev · ‎07-23-2008

you can have two ip addreeses in "peer" command.

crypto map ipsec-remoteoffice 11 ipsec-isakmp

set peer b.b.b.b c.c.c.c

set transform-set aes-sha

set pfs group2

match address 103

ronshuster · ‎07-23-2008

I will try it.

So if the tunnel to b.b.b.b goes down, all traffic will dynamically failover to c.c.c.c?

Is there no need for any dynamic routing protocol?

Also, when the tunnel to b.b.b is up, what happens with the other tunnel, c.c.c.c, is it up or down?

Also, I would assume you need to add ACL's for the "interesting traffic", correct? Also create the tunnel config on the c.c.c.c fw.

ggilbert · ‎07-23-2008

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5b2.html

You have to specify one side as the receiver only and the other side as the initiator only.

According to your example if connection to B fails, the tunnel should be established to C.

So, A will be the initiator and B&C will be the responders.

On the crypto map set peer command, you can insert two peers. If the first one fails, then the second one will be used.

Hope this is what you are looking for.

Rate this post, if it helps.

Thanks

Gilbert

*******************

hostname(config)# crypto map mymap 10 ipsec-isakmp

hostname(config)# crypto map mymap 10 match address 101

hostname(config)# crypto map mymap 10 set transform-set my_t_set1

hostname(config)# crypto map mymap 10 set peer 10.0.0.1 10.0.0.2

******************************

ronshuster · ‎07-23-2008

What is the configuration for a peer to be the Initiator and the other to be the Responder?

Cal McMurtry · ‎07-23-2008

You can use ASDM to do what you want. I'm assuming an ASA on both sides and you want failover on the links.

Adding the additional isp link

Remote ASA configuration

Create the second isp interface

Create the static route using route tracking for the second interface. Give it a metric of 255

Create dynamic nat rule for second interface

Create vpn tunnel on remote ASA using wizard

Get warning that tunnel group (ip address) already exists, do you want to use it? answer OK.

Configure the crypto map for both connections to answer only

(will lose connectivity after this)

Office ASA configuration

Use the vpn wizard to create a new site to site vpn to the second isp address

Change the connection profile for each connection. Configure the crypto map for originate only.

Configure the crypto map with the highest priority to include the second isp ip address in the peer group.

Delete the second crypto map entry

Finishing up

On remote ASA, reconfigure default gateway metrics to use high speed isp as 1 and backup as 255

a.alekseev · ‎07-23-2008

hostname(config)# crypto map mymap 10 set peer b.b.b.b c.c.c.c

if you have the above then this side can be only a initiator and it doesn't accept connections initiated by b.b.b.b or c.c.c.c.