Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
544
Views
0
Helpful
4
Replies

Redundency with IPSec Tunnels

dphills18
Level 1
Level 1

‎02-16-2008 06:59 PM - edited ‎02-21-2020 03:33 PM

I need some assistance in proper;y setting up a failover tunnel on spoke connections. We have ASA's located at two separate data centers. I would like for a router @ a remote location to fail over to a separate ASA, giving the initial tunnel goes down.

I am thinking that I should utilize one of these two ways:

crypto map tohub 1 ipsec-isakmp

set peer 10.1.1.1 default

set peer 10.2.2.2

set security-association idletime 120 default

=========================================

or

crypto map tohub 10 ipsec-isakmp

set peer 10.1.1.1

crypto map tohub 20 ipsec-isakmp

set peer 10.2.2.2

===========================================

Is it possible and would I need to setup two RSA keys on the remote routers.

====================================

Any help would be greatly appreciated.

Labels:
0 Helpful
4 Replies 4

royalblues
Level 10
Level 10

‎02-18-2008 01:30 AM

This should be possbile with IPSEC preferred peer and Dead Peer Detection (DPD)

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_14/gt_ipspp.htm

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtdpmo.html

HTH

Narayan

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to royalblues

‎02-18-2008 10:57 AM

Dwayne

While both configs would be possible I believe that the first one is closer to providing the functionality that you describe of failing over to the other peer if the first one fails. The first alternative has a single tunnel and is a bit more simple. In the second approach you are configuring 2 tunnels. And they both will be active all the time.

I have done a project for a customer where we did something similar. In that case we chose to configure 2 tunnels. We also configured the IPSec VPN to run with GRE. We run a dynamic routing protocol over the GRE tunnel and the choice of which tunnel to send traffic over and the automatic detection of loss of a peer and failover to the other peer is handled by the routing protocol. This works fine but it does introduce some complexities not present in the single tunnel approach.

HTH

Rick

HTH

Rick
0 Helpful

iraban
Level 1
Level 1

‎02-19-2008 06:44 AM

Its not RSA keys that you define, its preshared key.

you can define 2 peers in just 1 statements, if peer 1 cannot be contacted then it will try and negotiate phase 1 with peer 2 , you can define upto 5 peers (i believe)

depending on how your routing is setup you might also need to add a floating static for the peer 2.

0 Helpful

dphills18
Level 1
Level 1
In response to iraban

‎02-19-2008 12:33 PM

Thanks for all the replies.

I was talking to a guy from Cisco and he told me that the first one is the best, but i need to make sure that each ASA has the same root certificate.

Does anyone have any insight on this.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents