I'm having some problems configuring site-2-site VPNs with multiple peers (i.e., for a peer with multiple internet connections and in turn public IP addresses).
With IKEv1 crypto-maps it seems a simple case of entering two peer addresses in the same crypto-map match statement:
crypto map Crypto_Map 10 match address Interesting_Traffic crypto map Crypto_Map 10 set peer 220.127.116.11 18.104.22.168 crypto map Crypto_Map 10 set ikev1 transform-set ESP-3DES-SHA ESP-AES-256-SHA
However, IKEv2 crypto-maps don't support multiple peer statements. Using two separate match statements:
crypto map Crypto_Map 10 match address Interesting_Traffic crypto map Crypto_Map 10 set pfs crypto map Crypto_Map 10 set peer 22.214.171.124 crypto map Crypto_Map 10 set ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-256-SHA1 IKEV2-IPSEC-ESP-3DES-SHA1 crypto map Crypto_Map 20 match address Interesting_Traffic crypto map Crypto_Map 20 set pfs crypto map Crypto_Map 20 set peer 126.96.36.199 crypto map Crypto_Map 20 set ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-256-SHA1 IKEV2-IPSEC-ESP-3DES-SHA1
In both cases we have setup IP SLA on the remote peer to failover to the secondary line if the first line becomes unavailable. When primary line fails we maintain internet connectivity, however site-2-site connectivity via the VPN link is lost when using duplicate match statements.
Would it be the case that traffic from the local peer will match the Crypto_Map 10 statement, attempt to form a tunnel, fail (as the remote peer's primary line and in turn IP address is down), get "stuck" on this statement and not know it has other match statements it can use?
Your last assumption is right. The router will not pick the next sequence in the crypto-map if the actual one already matches.
Do you have IOS-router on both sides? Then you should configure virtual tunnel interfaces, between your router and both peer addresses. Now you can fail over with the help of a line-state, a routing-protocol, or static routing with route-tracking.
-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...