Question: Can someone provide a sample configuration for ASA devices (I'm on a set of 5510's) for doing l2l IPSEC with backup connections to the internet at both ends? I understand the concept of using an additional crypto-map entry per this page http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml#backup
but this seems to be only in the case where 1 of the 2 endpoints is multihomed. I've got a scenario where I've got an ASA at a site with a 10 meg main line, 1.5 T1 backup and the same at the distant site. What strategy do people employ to get backup tunnels in this case? Do you set up for all 4 possbilities (10 to 10, 10 to 1.5, 1.5 to 10 and 1.5 to 1.5) or do you pair up the fast ones with one crypto map on each end (10 to 10) and another crypto map on each end (for the 1.5 to 1.5), then add some sort of routing protocol like OSPF over the top? Or do you track routes with a backup and track reachability?
What's the best strategy here? I would be fine saying "if my fast pipes are up, let's go 10 meg to 10 meg" and if one of them fails we fall back to the 1.5 to 1.5" but obviously routes will have to be shuffled here.
I can't be the only person who has multihomed ASA devices doing l2l at 2 locations. Any guidance from a guru would be most appreciated.