IPSec Site-to-Site VPN with two ASAs and primary and backup links

Unanswered Question
Apr 15th, 2009
User Badges:

Hi Pros!

I wonder if anyone can provide a link or an example on how to configure two ASAs for site-to-site VPN. ASA5510 is configured for two static routes tracking (sla monitor - http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml)


The question is mostly about how to configure ASA5505. Should it be one crypto map with two peers ? If yes, how should be routing handled?


Eugene

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Daniela Herrera Mon, 04/20/2009 - 12:39
User Badges:

The crypto map is assigned to an interface where the traffic will be coming in and out of the ASA.


If the tracking configuration you have will cause the traffic go out on a different interface the crypto map needs to be applied on that interface also.


I believe you can use the same crypto map on both interfaces, the traffic and the peer will remain the same, you just need to apply it to both interfaces (just be carefull if you have more than one tunnel configured). The crypto map configuration will be used only when there's traffic flowing through that interface.


The remote device will need one crypto map for that traffic with two peers on the same crypto map entry ( I suggest to verify the version of the ASA, not all the versions seem to work ok with this, I think 8.0 and above are ok).


The ASA that has the tracking configuration should start the communication to help avoid synchronization problems between the devices.


Configuring keepalives will also help the remote end know that the first peer (interface) is no longer alive, and it will help build the new tunnel faster.


Regards,

Actions

This Discussion