Solved: VPN redundancy per destination?

CSC011240286 · ‎11-07-2014

Hi All, I'm busy setting up a vpn for one of my clients. they need to have the same vpn tunnel with same source - destination interesting traffic but terminating on two different public ips. so this should have sort of a primary vpn should it fail then a secondary vpn should take over. this is not the redundant isp scenario.

Network A - B ------------vpn---------terminate on X (most preffered)

Network A- B -------------vpn---------terminate on Y (less preferred)

ghostinthenet · ‎11-09-2014

On the ASA, you can do it with the primary crypto map having a higher priority than the backup, but using the same ACLs. If the first map can't peer, the second one will establish. It's worth setting lower lifetimes on the IPSec SA for this. You may also want I consider setting the hub to be originate-only and the spokes to be receive-only so that you don't have a spoke creating a new SA when you don't want it to.

View solution in original post

ghostinthenet · ‎11-08-2014

What platform are you using to terminate these VPNs? If you're using routers rather than security appliances, you can use tunnel interfaces and run a routing protocol to manage the traffic.

CSC011240286 · ‎11-08-2014

Hi Jody, I'm using the ASA5555-X appliances

ghostinthenet · ‎11-09-2014

On the ASA, you can do it with the primary crypto map having a higher priority than the backup, but using the same ACLs. If the first map can't peer, the second one will establish. It's worth setting lower lifetimes on the IPSec SA for this. You may also want I consider setting the hub to be originate-only and the spokes to be receive-only so that you don't have a spoke creating a new SA when you don't want it to.

CSC011240286 · ‎11-10-2014

Thanks Jody, much appreciated