IPSec L2L VPN with Failover -- Single IP on ASA -- Dual Homed WatchGuard
Could someone please explain to me how to convert a site-to-site single IP mapping on an ASA terminating on a WatchGuard, which will become dual-homed (the WG will--the ASA will continue utilizing a single provider), utilizing WAN failover, so that failure of the primary ISP on the WG will trigger a route deletion and dynamically route traffic across the other tunnel on the ASA configuration side?
Is this even possible with native L2L configuration or do you need multiple tunnels with IP SLA or OSPF? Or can't it be done?
Re: IPSec L2L VPN with Failover -- Single IP on ASA -- Dual Homed WatchGuard
It can be done and it is quite simple on the ASA. The solution does not involve multiple tunnels on the ASA and does not involve roué deletion. You would simply modify the configuration of the ASA tunnel to specify a second peer address. If your config looked something like this
crypto map vpn_map 10 set peer a.b.c.d
you would modify it to be
crypto map vpn_map 10 a.b.c.d e.f.g.h
With this configuration your ASA would negotiate the VPN tunnel with a.b.c.d and if that peer became unavailable then your ASA would negotiate the VPN with e.f.g.h. Note that failover here is automatic but that it does not automatically fail back.
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...