Cisco Support Community
Community Member

Redundant L2L IPSec Tunnel between HQ and Branch office

Hi everyone,

I've a scenario where HQ got an internet leased line (static IP) and Branch office got one Internet leased line (Static IP ) and ADSL line (dynamic IP).

Normally branch office communicates to data center using IPSec tunnel via internet leased line. I want to establish an automatic L2L IPSec tunnel between Branch office and data center via ADSL line if internet leased line at Branch office goes down.

HQ got Cisco ASA 5540 whereas Branch office terminates internet leased line on ASA 5520 and ADSL terminates on Cisco 2811.

Please note that Crypto domain for bother Primary and Secondary IPSec tunnel is same and ADSL got dynamic IP address. Also share your thoughts if I can create backup tunnel using Dynamic DNS (for ADSL) and mentioning hostname ( rather IP address ) of remote peer on HQ ASA.

Hope scenario is clear to you all.

Thank in advance


Cisco Employee

Re: Redundant L2L IPSec Tunnel between HQ and Branch office

Hi Abid,

One way i can think of this being done is as below:

1) Configure SLA monitoring on the core switch in Branch office to switch traffic from the Leased line to the ADSL line if the leased line goes down.

2) Leave the static crypto map that is already in place at the headend. Configure a dynamic crypto map and associate it to the static crypto map with a higher sequence number.

3) Configure VPN on the router terminating the ADSL line to the ASA 5540.

This should take care of the VPNs and the fallback mechanism. Please ensure you have isakmp keepalives configured on all the devices in concern so that the VPN goes down if the internet line goes down.

Let me know if this helps!!



CreatePlease to create content