Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ipsec failover between ASA5510 and router

I have configured like below to have failover with remote ipsec server.

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp key ********* address 220.***.***.*

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto ipsec transform-set myset1 esp-des esp-md5-hmac

!

crypto map mymap 10 ipsec-isakmp

set peer 220.***.***.*

set transform-set myset

match address 101

!

crypto map mymap1 10 ipsec-isakmp

set peer 220.***.***.*

set transform-set myset1

match address 101

interface FastEthernet0/0

ip address dhcp

duplex auto

speed auto

no cdp enable

crypto map mymap

!

interface FastEthernet0/1

ip address dhcp

shutdown

duplex auto

speed auto

no cdp enable

crypto map mymap1

!

access-list 101 permit ip 220.***.***.192 0.0.0.31 any log

=================

like u can see the ipsec server is one at remote site and want to make router to have ipsec tunnel with failover configuration.

can someone please have a look and let me know if there is anything wrong ..

1 REPLY

Re: ipsec failover between ASA5510 and router

first the access-list 101 must be

source: ur lan behind the router

distination: the LAN behind the remote peer like ASAs

becuase this ACL will tell the router and the crypto map what will be included in the tunnel called the interesting traffic as u done it wrong so now traffic will be matched!!

then as long as there is two remote peers one primary one seconday

if they have each one it IP u could do the following

change crypto isakmp key ********* address 220.***.***.*

to:

crypto isakmp key ********* address 0.0.0.0

then make one cryprto map looks like:

crypto map mymap 10 ipsec-isakmp

set peer 220.***.***.* default

set peer [second peer ip]

set transform-set myset

match address 101

good luck

if helpful rate

124
Views
0
Helpful
1
Replies