Routing over multiple VPNs to the same subnet

tmpoff · ‎07-08-2010

I have two IPSEC site-to-site VPN tunnels set up from my ASA 5520.

Tunnel A goes to remote network 10.16.18.0/24.

Tunnel B goes to remote network 10.16.18.0/24 as well albeit through a different route.

I did this for redundancy. i want the traffic to take tunnel B only when A is down. i set up the routes accordingly.

My problem is that it always routes over tunnel A regardless of the route in the routing table. Even when i only have the tunnel B route defined, it takes the tunnel A route. The crypto map settings are over-riding the route statemnts. I am using static routes.

How can I accomplish this? NAT is not optimal since my partner on the other end has hundreds of devices that would need specific NATs. Please help. is there anyway around this issue.

tlago · ‎07-08-2010

I have tried something similiar on an ASA/PIX and I wasn't able to get it to work, here is how I understand the challenge within the firewall. When you build an IPsec tunnel with a specific network you cannot define another metric to the same network via different tunnel, it always takes the one that is established first, in older PIX codes it used to let you set this up, but it still didn't work, I am surprised that the ASDM let you define it twice without giving you an error. If you had multiple Internet connections, and another ASA, you could build another tunnel to your other site, then via layer 3 switch before the ASA's define via route which ASA to take, you could try it via metric and see if it worked, but since the ASA is more of a pass through device and not a router, it would be best if you did it via static route or try a routing protocol.

hope that helps...