02-16-2008 06:59 PM - edited 02-21-2020 03:33 PM
I need some assistance in proper;y setting up a failover tunnel on spoke connections. We have ASA's located at two separate data centers. I would like for a router @ a remote location to fail over to a separate ASA, giving the initial tunnel goes down.
I am thinking that I should utilize one of these two ways:
crypto map tohub 1 ipsec-isakmp
set peer 10.1.1.1 default
set peer 10.2.2.2
set security-association idletime 120 default
=========================================
or
crypto map tohub 10 ipsec-isakmp
set peer 10.1.1.1
crypto map tohub 20 ipsec-isakmp
set peer 10.2.2.2
===========================================
Is it possible and would I need to setup two RSA keys on the remote routers.
====================================
Any help would be greatly appreciated.
02-18-2008 01:30 AM
This should be possbile with IPSEC preferred peer and Dead Peer Detection (DPD)
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_14/gt_ipspp.htm
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtdpmo.html
HTH
Narayan
02-18-2008 10:57 AM
Dwayne
While both configs would be possible I believe that the first one is closer to providing the functionality that you describe of failing over to the other peer if the first one fails. The first alternative has a single tunnel and is a bit more simple. In the second approach you are configuring 2 tunnels. And they both will be active all the time.
I have done a project for a customer where we did something similar. In that case we chose to configure 2 tunnels. We also configured the IPSec VPN to run with GRE. We run a dynamic routing protocol over the GRE tunnel and the choice of which tunnel to send traffic over and the automatic detection of loss of a peer and failover to the other peer is handled by the routing protocol. This works fine but it does introduce some complexities not present in the single tunnel approach.
HTH
Rick
02-19-2008 06:44 AM
Its not RSA keys that you define, its preshared key.
you can define 2 peers in just 1 statements, if peer 1 cannot be contacted then it will try and negotiate phase 1 with peer 2 , you can define upto 5 peers (i believe)
depending on how your routing is setup you might also need to add a floating static for the peer 2.
02-19-2008 12:33 PM
Thanks for all the replies.
I was talking to a guy from Cisco and he told me that the first one is the best, but i need to make sure that each ASA has the same root certificate.
Does anyone have any insight on this.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: