Hello, looking for some direction on a network deployment. We have approx 15 sites, two being hub sites and the rest remote sites. All sites have primary and backup internet connections, as well as a private Ethernet over fiber link. Hardware will be all ASAs, 5515s, 5512s, 5505s.
The primary inter-site communication will be the private link, probably using OSPF of EIGRP (recommendations here welcome).
I am ok with all of the above, but have some questions on utilizing the internet connections to support failover to VPN for the private link.
1. Assuming the private links and routing are all configured, how would I add VPN failover?
a. VPN should failover to the two hub locations if the private link is down. I assume a single tunnel with a primary and secondary peer address for each hub, since it wouldn't need to connect to both hubs at the same time?
b. VPN should provide spoke-hub-spoke communication so that the failed site could still connect to all other sites through the VPN.
c. Not sure of the combination of dynamic routing/static routes/SLA tracking necessary to support this config.
2. VPN should support either primary or backup internet connection.
a. It appears that ASDM is not able to apply a single crypto map to multiple interfaces (to support same vpn tunnel on both primary and backup), it only allows one. With CLI you can create a single crypto map and apply to multiple interfaces. Am I missing how to configure this via ASDM, or is CLI the only way?
3. Does VPN follow most specific route the same way normal traffic routing does?
a. If I configure a 'blanket' VPN to tunnel all 'internal' traffic to a hub site (i.e. 10.50.x.x/16), but have one dedicated VPN to a datacenter location (10.50.50.x/24), will it behave as planned and all 10.50.x.x traffic (10.50.1.0, 10.50.2.0, etc) will go to the hub except traffic to 10.50.50.x will go to the data center?
Nobody has any thoughts or an example working config for this?
So far I have the private link working with EIGRP, then added a tracked static route for the VPN networks pointing to ISP gateway with a high metric. In theory the lower metric EIGRP routes take preference and traffic is routed over the private link until it is down, routes removed, and the backup default route to ISP takes over and establishes VPN. This mostly works. When I manually fail the private link the VPN starts up and connects, and everything works. The issue is that the VPN isn't torn down when the private link comes back up and EIGRP routes are available again. The VPN stays up, and all traffic stops. If i manually tear down the VPN traffic flows again, then for some reason 5-10 minutes later the VPN re-establishes and breaks traffic again. I have to keep the VPN disabled to prevent it from starting up on it's own.
Any thoughts on how to keep the failover VPN down until needed, and to make sure it tears down the VPN immediately when the private link and EIGRP routes are back online?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...