ASA Site to Site Redundant VPN's for HA running IKEV2
Looking for confirmation whether 8.4.3 code (or higher) can support the ability for spoke endpoint ASA5505's to have certificate based, IKEv2 Site to Site VPN tunnels to separate ASA hub sites at separate geographical locations for high availability/DR purposes. We are able to accomplish this with IKEv1 with PSK's, configuring the peer public ip addresses of the separate ASA hubs in the crypto map (18.104.22.168 and 22.214.171.124 in the example below), but not with IKEv2 with certificates:
Few interesting comments on the document is as below,
Multiple peers used for redundancy is not supported with IKEv2 on the ASA. In IKEv1, for redundancy purposes, one can have more than one peer under the same crypto map when you enter the set peer command. The first peer will be the primary and if it fails, the second peer will kick in. Refer to Cisco bug ID CSCud22276 (registered customers only) , ENH: Multiple Peers support for IKEv2.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...