Re: IPSec Site-to-Site VPN with two ASAs and primary and backup
The crypto map is assigned to an interface where the traffic will be coming in and out of the ASA.
If the tracking configuration you have will cause the traffic go out on a different interface the crypto map needs to be applied on that interface also.
I believe you can use the same crypto map on both interfaces, the traffic and the peer will remain the same, you just need to apply it to both interfaces (just be carefull if you have more than one tunnel configured). The crypto map configuration will be used only when there's traffic flowing through that interface.
The remote device will need one crypto map for that traffic with two peers on the same crypto map entry ( I suggest to verify the version of the ASA, not all the versions seem to work ok with this, I think 8.0 and above are ok).
The ASA that has the tracking configuration should start the communication to help avoid synchronization problems between the devices.
Configuring keepalives will also help the remote end know that the first peer (interface) is no longer alive, and it will help build the new tunnel faster.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...