ASA site2site VPN headend redundancy

Unanswered Question
Aug 30th, 2009
User Badges:

Hi, here is my situation, we have two ISPs in HQ, ASA has outside IP from ISP1, we have a WAN load-balancer sitting in front of ASA, when ISP1 goes away, the WAN load-balancer will NAT ISP1 IP to ISP2 IP.


Now I want to implement site2site VPN redundancy for remote offices, I am not sure the following configuration on remote ASA would work:

crypto map mymap 1 match address traffic_to-HQ

crypto map mymap 1 set peer ISP1_IP

crypto map mymap 2 match address traafic_to_HQ

cryto map mymap 2 set peer ISP2_IP


tunnel-group ISP1_IP

<tunnel-group configruation>

tunnel-group ISP2_IP

<tuneel-group configuration, exactly the same as above>


ISP1_IP and ISP2_IP are essentially the same IP (HQ-ASA's outside IP) after WAN load-balancer's static NAT, I am wondering what is effect of the above configuration, would remote ASA establish two ISAKMP/IPsec SAs to HQ-ASA? or remote will establish only the first one? if the latter, is it because crypto map seq 1's "match address" ACL is the same as seq 1?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Todd Pula Mon, 08/31/2009 - 07:11
User Badges:
  • Silver, 250 points or more

From the spokes perspective, you will set up one crypto map entry to point to a primary and secondary peer IP. For example,


crypto map mymap 1 match address traffic_to-HQ

crypto map mymap 1 set peer ISP1_IP ISP2_IP

crypto map mymap 1 set transform-set TSET


tunnel-group ISP1_IP


tunnel-group ISP2_IP

Actions

This Discussion