Backup IPSEC connection multiple remote Internet egress sites won't allow multiple any encryption domains
I have currently setup an ASA at a remote site in the middle of the USA which tunnels all traffic back to our West coast HQ to use its Internet connection. It works great. However, I also want to have another tunnel to our East Coast HQ to use its Internet connection should a failure occur on the West Coast. I'm bascially using the "any" remote network as a default route to the Internet via the IPSEC VPN tunnel.
The ASA gives me a warning in ASDM if I have multiple connections setup that over lap. I.E. I have Local Network: 10.0.0.1 Remote Network: any. I cannot repeat this for a different connection profile as a backup.
Is there anyway the ASA can support having multiple "any" tunnels to primary and backup sites?
Its easy to setup backup peer's for IPSEC tunnels, first off, can't use IKEv2 (boo) had to go back to IKEv1, have to use keep alives.
Never could get the recommended "originate only" on the remote sites working correctly, but at "bidirectrional" worked fine, doesn't matter because I'm using a dynamic IP at the remote sites, the head ends will never initiate the VPNs (I don't have the "static IP" box checked).
Anyway, in ASDM go to Site to Site VPN section, then Advanced, create a tunnel group for each peer primary and backup. then in the Crypto Maps section select the static entry you are working with, in the Peer settings below put the new backup peer and click add.
Best practice is to have the remote sites use originate only and headends be answer only so the headends don't initiate the tunnels and cause a "loop"
Now to mess around with the EIGRP routing to finish this all off. If anyone has hints let me know, my devices don't support IP SLA or else I would have been done with this already :(
to test, just booting off the tunnel isn't enough, the phycial interface has to actually go down, or I found you can just uncheck the "Enable IKEv1" on the Connection Profiles list and apply THEN go and LOGOUT the connected VPN, it will failover to the other peer.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...