Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
185
Views
5
Helpful
1
Replies

VPN Design question / which solution is the best option?

Go to solution
kenkaplan
Level 1
Level 1

‎08-13-2015 03:48 AM

Hi all, Doing a design where this remote branch will have two routers going back to a pair of ASA’s . Only one routers need to be active at any one time.   . The goal of the design is to avoid extra peer configuration on the HQ ASA’s. (not needing two sets of VPN policy for each peer on the head end)

 

So from the branch side, We would like the source of the VPN traffic to appear from one IP. This IP will somehow shared between the two units( loopback or other). Much like the way an ASA that shares an IP for its VPN connection.

      

I’m thinking the two routers external interfaces will be on the same subnet on a /29 running a gateway redundancy protocol(HSRP) with only one unit active. Is it possible to use one of the(/29 IP’)s as a /32 on both the units as only one as active? This IP would be the VPN PEER address shared between the two units. Also, I need to split some traffic to the internet and the remaining into the VPN.

 

This is not my first time configuring VPNs, but wanted to know if there’s a better solution as there so many options.

 

Thanks

K

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎08-13-2015 05:22 AM

  1. You can bind your crypto map to an HSRP-address for redundancy.
  2. If your main goal is to reduce the config on the HQ-gateway, then I would also consider using two routers at the HQ and use FlexVPNDVTIs or DMVPN. With that you have much more flexibility in your deployment.

View solution in original post

1 Reply 1

Go to solution
Karsten Iwen
VIP
VIP

‎08-13-2015 05:22 AM

  1. You can bind your crypto map to an HSRP-address for redundancy.
  2. If your main goal is to reduce the config on the HQ-gateway, then I would also consider using two routers at the HQ and use FlexVPNDVTIs or DMVPN. With that you have much more flexibility in your deployment.
Customers Also Viewed These Support Documents