Re: VPN with backup ISP connections

mawallace · ‎01-25-2010

I want to utlise the backup ISP features of the ASA 5505 using the article here:-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

I guess that at the other end I will need to crete a site to site network based on the ASA Hostname as opposed to IP addresses, so that it will accept incoming VPN link regardless of which link.

Is there anything else I need to be aware of?

aabhatia · ‎01-25-2010

In site to site VPN tunnel we never do with the name of the device, it needs to be configured with the ip address of the interface.

On remote sites you need to configure both interface ip addresses as peers.

Example

crypto map mymap 30 set peer 1.1.1.1 1.1.1.2

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.2 type ipsec-l2l

say 1.1.1.1 and 1.1.1.2 are the Primary and backup interface ip addresses.

Make sure you have dpd enabled on devices.

aarti

mawallace · ‎01-26-2010

Thank you for that.

What if there are backup connections at each site?

e.g

Remote Site - isp connections (say) 1.1.1.1 & 1.1.1.2

Main Office - 2.1.1.1.1 2.1.1.2

As I understand it you can set multiple peers on orignate only connections and not answers.

So.

Set up would work

Remote Site - Using 1.1.1.1 as the ISP (primary connection) - you could set up 2.1.1.1 2.1.1.2 as the peer (as your example)

But.. if 1.1.1.1 goes down and switched across to 1.1.1.2 the main office will not answer as it see it coming from the wrong ip address. Is that correct?

So how do I get this to work so that the VPN still works if it comes from 1.1.1.1 or 1.1.1.2?