07-23-2008 10:41 AM - edited 02-21-2020 03:50 PM
I am looking to have a VPN tunnel redundancy between two sites, that is if one tunnel goes down, the traffic will be routed to a backup tunnel (different site).
So now we have a tunnel between site A & B, and if this tunnel was to fail, I would like the traffic to failover to a new tunnel between A & C.
Is that feasible?
I failed to find an example of this scenario on the Cisco site, any idea?
07-23-2008 11:36 AM
you can have two ip addreeses in "peer" command.
crypto map ipsec-remoteoffice 11 ipsec-isakmp
set peer b.b.b.b c.c.c.c
set transform-set aes-sha
set pfs group2
match address 103
07-23-2008 11:39 AM
I will try it.
So if the tunnel to b.b.b.b goes down, all traffic will dynamically failover to c.c.c.c?
Is there no need for any dynamic routing protocol?
Also, when the tunnel to b.b.b is up, what happens with the other tunnel, c.c.c.c, is it up or down?
Also, I would assume you need to add ACL's for the "interesting traffic", correct? Also create the tunnel config on the c.c.c.c fw.
07-23-2008 11:41 AM
You have to specify one side as the receiver only and the other side as the initiator only.
According to your example if connection to B fails, the tunnel should be established to C.
So, A will be the initiator and B&C will be the responders.
On the crypto map set peer command, you can insert two peers. If the first one fails, then the second one will be used.
Hope this is what you are looking for.
Rate this post, if it helps.
Thanks
Gilbert
*******************
hostname(config)# crypto map mymap 10 ipsec-isakmp
hostname(config)# crypto map mymap 10 match address 101
hostname(config)# crypto map mymap 10 set transform-set my_t_set1
hostname(config)# crypto map mymap 10 set peer 10.0.0.1 10.0.0.2
******************************
07-23-2008 11:44 AM
What is the configuration for a peer to be the Initiator and the other to be the Responder?
07-23-2008 12:20 PM
You can use ASDM to do what you want. I'm assuming an ASA on both sides and you want failover on the links.
Adding the additional isp link
Remote ASA configuration
Create the second isp interface
Create the static route using route tracking for the second interface. Give it a metric of 255
Create dynamic nat rule for second interface
Create vpn tunnel on remote ASA using wizard
Get warning that tunnel group (ip address) already exists, do you want to use it? answer OK.
Configure the crypto map for both connections to answer only
(will lose connectivity after this)
Office ASA configuration
Use the vpn wizard to create a new site to site vpn to the second isp address
Change the connection profile for each connection. Configure the crypto map for originate only.
Configure the crypto map with the highest priority to include the second isp ip address in the peer group.
Delete the second crypto map entry
Finishing up
On remote ASA, reconfigure default gateway metrics to use high speed isp as 1 and backup as 255
07-23-2008 12:26 PM
hostname(config)# crypto map mymap 10 set peer b.b.b.b c.c.c.c
if you have the above then this side can be only a initiator and it doesn't accept connections initiated by b.b.b.b or c.c.c.c.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: