Re: VPN cryptomap for remote failover IPs

tato386 · ‎05-01-2018

I need an ASA to establish a VPN for a remote network that has redundant ISPs and therefor it also has multiple peer IPs. So the question is should I add both remote IPs to one cryptomap sequence or should I create two sequences? Note that I do not/cannot do load balancing. This should work as a primary/secondary setup. Will both of these examples work? If so, are there pros and cons of each?

Thanks,

Diego

Option A:
crypto map cryptomap 10 match address acl_cryptomap
crypto map cryptomap 10 set peer 1.1.1.1 2.2.2.2
crypto map cryptomap 10 set ikev1 transform-set DES-SHA
crypto map cryptomap 10 set ikev2 pre-shared-key *****

Option B:
crypto map cryptomap 10 match address acl_cryptomap
crypto map cryptomap 10 set peer 1.1.1.1
crypto map cryptomap 10 set ikev1 transform-set DES-SHA
crypto map cryptomap 10 set ikev2 pre-shared-key *****
crypto map cryptomap 20 match address acl_cryptomap
crypto map cryptomap 20 set peer 2.2.2.2
crypto map cryptomap 20 set ikev1 transform-set DES-SHA
crypto map cryptomap 20 set ikev2 pre-shared-key *****

Francesco Molino · ‎05-01-2018

Hi

If you want to do failover then use option A.
ASA will try to build up L2L with peer ip 1 and if not available then move its way done to select next peer ip.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

tato386 · ‎05-02-2018

Cool, good to know.

So out of curiosity, what would the behavior be if I used the other option?

Thanks,

Diego

Francesco Molino · ‎05-02-2018

The other option is 2 different tunnels. But it will build up the first tunnel because they're sharing the same crypto acl

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question