Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Configuring site-to-site VPN with load balancers.

I am configuring two Cisco ASA for site to site VPN using two load balancers. The load balancers will perform a failover should one of the line fails. Say for example, in normal conditions, the VPN tunnel will be created along the 'red' line (see picture) to the remote host. If one site's Internet line fails (say Site A's red link), the tunnel from Site A should go by the blue link to Site B's red link (if Site B's Internet line is perfectly fine).

For both remote sites, I want to connect each peer by using hostname (e.g. vpn.sitea.com). Also, for both sites, I am not sure how to add security associations so that each firewall can accept the different IP address of each other's multiple links.

Below, I have created a script for site-to-site VPN.

On SITE A

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

crypto isakmp enable outside

crypto isakmp identity hostname

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer vpn.siteb.com

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

exit

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

tunnel-group vpn.siteb.com type ipsec-l2l

tunnel-group vpn.siteb.com ipsec-attributes

pre-shared-key qwertyuiop

exit

On SITE B

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

crypto isakmp enable outside

crypto isakmp identity hostname

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer vpn.sitea.com

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

exit

access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

tunnel-group vpn.sitea.com type ipsec-l2l

tunnel-group vpn.sitea.com ipsec-attributes

pre-shared-key qwertyuiop

exit

I appreciate any comments and recommendations.

1 REPLY

Re: Configuring site-to-site VPN with load balancers.

119
Views
0
Helpful
1
Replies
CreatePlease to create content