11-07-2014 11:56 AM
Hi All, I'm busy setting up a vpn for one of my clients. they need to have the same vpn tunnel with same source - destination interesting traffic but terminating on two different public ips. so this should have sort of a primary vpn should it fail then a secondary vpn should take over. this is not the redundant isp scenario.
Network A - B ------------vpn---------terminate on X (most preffered)
Network A- B -------------vpn---------terminate on Y (less preferred)
Solved! Go to Solution.
11-09-2014 10:22 AM
On the ASA, you can do it with the primary crypto map having a higher priority than the backup, but using the same ACLs. If the first map can't peer, the second one will establish. It's worth setting lower lifetimes on the IPSec SA for this. You may also want I consider setting the hub to be originate-only and the spokes to be receive-only so that you don't have a spoke creating a new SA when you don't want it to.
11-08-2014 08:04 AM
What platform are you using to terminate these VPNs? If you're using routers rather than security appliances, you can use tunnel interfaces and run a routing protocol to manage the traffic.
11-08-2014 10:59 AM
Hi Jody, I'm using the ASA5555-X appliances
11-09-2014 10:22 AM
On the ASA, you can do it with the primary crypto map having a higher priority than the backup, but using the same ACLs. If the first map can't peer, the second one will establish. It's worth setting lower lifetimes on the IPSec SA for this. You may also want I consider setting the hub to be originate-only and the spokes to be receive-only so that you don't have a spoke creating a new SA when you don't want it to.
11-10-2014 10:31 AM
Thanks Jody, much appreciated
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: