I will try to summarise my setup.
Site A Remote Office
- LAN 22.214.171.124. /24,
- Interface connected to ISP connection 1 (main) - 126.96.36.199
- Interface connectd to ISP connect 2 (backup) - 188.8.131.52
Site B Main Office
- LAN 184.108.40.206 /24
- Interface connected to ISP connection 1 (main) - 220.127.116.11
- Interface connected to ISP connection 2(backup) - 18.104.22.168
What I want to have happen is that there are 2 VPN tunnels.
Between Remote and Main Office- Tunnel 1 22.214.171.124 to 126.96.36.199
and Tunnel 2 188.8.131.52 to 184.108.40.206
I have set up the tunnels and can get the first tunnel up each time. Traffic flows freely each time to and from sites with no issue.
If I disconnect the main connection to the ISP at Remote office , so the ASA diverts all outgoing traffic from the main connection to the backup connection then it brings up the 2nd tunnel
People at the remote site can VPN into the main site with no issue at all. The ASA there knows that all traffic for the main office will go through the backup interface as the main interface is down.
If people at the main office try to access the remote office then they do not have any success! This is beacuse the ASA at the main office still trys to route out via its usual (main) ISP connection, and fails!
How can I get this so there is two way traffic!
Setting the tunnels at one site to answer only does not seem to solve the problem, as it then still expects to establish the tunnel from the outside!
Summary of config:-
Extract from main office
access-list outside_60_cryptomap extended permit ip Main_Office 255.255.255.0 Remote_LAN 255.255.255.0
access-list backup_40_cryptomap extended permit ip Main_Office 255.255.255.0 Remote_LAN 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map backup_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 60 match address outside_60_cryptomap
crypto map outside_map 60 set peer 220.127.116.11
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 60 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map backup_map 40 match address backup_40_cryptomap
crypto map backup_map 40 set peer 18.104.22.168
crypto map backup_map 40 set transform-set ESP-3DES-MD5
crypto map backup_map 40 set reverse-route
crypto map backup_map 65535 ipsec-isakmp dynamic backup_dyn_map
crypto map backup_map interface backup
crypto isakmp enable outside
crypto isakmp enable backup
crypto isakmp policy 50
crypto isakmp policy 70
crypto isakmp nat-traversal 20