Direct IPSEC VPN's w/multiple Hubs - Autoswitch back to primary hub
We are implementing direct IPSEC spoke to hub sites with a primary and secondary peer. Other than doing GRE to provide OSPF to the remote sites is there anyway to failback to the primary hub site after the spoke site has already failed over to the secondary hub site?
Eg. Spoke site with one ISP connection out (internet) and one static default route.
Setup with two crypto peers, one default (Primary), and a backup (If the primary goes away)
Two Hubs sites running OSPF on the inside with reverse route injections and dynamic peers for the VPN's.
Remote site cannot see the primary hub, re-established tunnel to secondary due to crypto peer statement, secondary hub site answers, tunnel is established and RRI puts spoke site routes into OSPF. Primary hub site it visable again (from spoke) and we would like to remote site to fail back to the primary site automatically.
Is this possible (the fail-back part)?
If not it means going the GER/OSPF route at the spoke sites and using costs to control the fail-back.
Re: Direct IPSEC VPN's w/multiple Hubs - Autoswitch back to prim
i think it might not work because since a tunnel is already established i think you will have to wait till the phase 1 lifetime expires
one way out i see is reduce the phase 1 lifetime by default it is 24 hrs around 86400 or something like that you can reduce it but just make sure that it is around 10 to 15 mins more than phase 2 lifetime, by default the phase 2 lifetime must be around 28800
so i think phase 1 lifetime to something like 5 to 6 hrs must be fine or reduce phase 2 timers too
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...