2 ASA for VPN tunnel hub and Dual tunnel to both from cisco1800

Unanswered Question

I am struggling with configuring Cisco1841 to have dual or back up tunnel to two seperate ASA's on our corporate network. There is alot of great doco on DMVPN with routers as hub but is DMVPN the best way to configure this router and the others to fallow. I have no issues creating single normal tunnel to either ASA when I try to get tunnel to each I have issues.


Last attemtp of DMVPN config on 1841


crypto keyring Test

pre-shared-key address #.#.#.# key Test!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp profile L2L

description LAN-to-LAN for spoke router(s) connection

keyring Test

match identity address #.#.#.# 255.255.255.255

!

!

crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set security-association lifetime seconds 28800

set transform-set ESP-3DES

set pfs group2

set isakmp-profile L2L

match address VPN-ACCESS-LIST-100

!

!

!

!

crypto map mymap 10 ipsec-isakmp dynamic dynmap

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sadbulali Fri, 11/07/2008 - 07:24

Dmvpn is also a good choice as you have mentioned.The Dynamic Multipoint VPN (DMVPN) feature allows users to better scale large and small IP Security (IPsec) Virtual Private Networks (VPNs) by combining generic routing encapsulation (GRE) tunnels, IPsec encryption, and Next Hop Resolution Protocol (NHRP).It is possible to configure seperate tunnels to 2 different ASA from a router.


I got both tunnels working but I would like to be able to control routing better. Is there a good way to have all routing go over a single tunnel in case of a failure. With the below config I can get all 10.160.0.0 and 10.40.0.0 routing over the one tunnel and 10.41.0.0 over the other tunnel but if I similate a tunnel outage I can't get traffic to go to other tunnel I have added a 10.0.0.0 to each access list then both tunnels don't work. I think I have to do the access-list differently. The only way I know how to add routing is if I do tunnel interfaces and I have only done that with router to router tunnels. Is there a way to do that on a Router to ASA configuration?



crypto keyring VGC_PTC

pre-shared-key address ##.##.##.15 key [email protected]_1

crypto keyring VGC_Tulsa

pre-shared-key address ##.##.##.25 key VGC$Test_2

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp profile L2L_Dallas

description LAN-To-LAN for PTC Connection

keyring VGC_PTC

match identity address ##.##.##.15 255.255.255.255

crypto isakmp profile L2L_Tulsa

description LAN-To-LAN for Tulsa Connection

keyring VGC_Tulsa

match identity address ##.##.##.25 255.255.255.255

!

!

crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set security-association lifetime seconds 28800

set transform-set ESP-3DES

set isakmp-profile L2L_Dallas

match address VPN-ACCESS-LIST-100

crypto dynamic-map dynmap 20

set security-association lifetime seconds 28800

set transform-set ESP-3DES

set isakmp-profile L2L_Tulsa

match address VPN-ACCESS-LIST-200

!

!

!

!

crypto map mymap 10 ipsec-isakmp dynamic dynmap

!

!

!

ip access-list extended VPN-ACCESS-LIST-100

permit ip 10.207.126.0 0.0.0.255 10.160.0.0 0.0.255.255

permit ip 10.207.126.0 0.0.0.255 10.40.0.0 0.0.255.255

ip access-list extended VPN-ACCESS-LIST-200

permit ip 10.207.126.0 0.0.0.255 10.41.0.0 0.0.255.255

Actions

This Discussion