I have two sites both having two internet connections. Each site there is an ASA 5520, and I wish to create redundant VPN tunnels between the two ASA's. I would like to use ISP1 for the primary tunnel, and ISP2 for the secondary. Since the interesting traffic ACL for both tunnels will be the same, I saw someone using multiple "set peer" commands in the same crypto map, and define multiple tunnel-group peers as well. I'm just wondering how the "set peer" commands will be used, i.e. the first "set peer" command will define the primary tunnel and then the 2nd command define the secondary tunnel? Any one tried it before? Thanks in advance.
I havent tried with multiple Peer IPs. But I have posted similar post I got the answer to configure multiple Peer IPs in the same crypto map. And after that we need to enable one more command i.e. set peer default.
Wherein the VPN device will take the first peer IP as primary and whenever the primary is not reacheble then it will try with secondary.
But the problem with this setup is we need to manually switchover from secondary to primary once primary comes up and their is some downtime when VPN device switches from primary peer ip to secondary.
One more way is to configure Dyamnic routing protocol and confiure GRE over IPSec.
This should work although I haven't done testing myself. It has no difference than creating a tunnel to a second VPN peer. But, remember, this provides you VPN peer redundancy not tunnel redundancy. The 2nd VPN peer should have exactly the same tunnel configurations to make it work, which may rely on the routing failover as well. Another concern is dead peer detection - how soon the 2nd peer is used after the 1st one is detected to be dead. Once these are sorted out and considered meeting your requirements, it should be a working solution.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...