Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN with backup ISP connections

I want to utlise the backup ISP features of the ASA 5505 using the article here:-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

I guess that at the other end I will need to crete a site to site network based on the ASA Hostname as opposed to IP addresses, so that it will accept incoming VPN link regardless of which link.

Is there anything else I need to be aware of?

2 REPLIES
New Member

Re: VPN with backup ISP connections

In site to site VPN tunnel we never do with the name of the device, it needs to be configured with the ip address of the interface.

On remote sites you need to configure both interface ip addresses as peers.

Example

crypto map mymap 30 set peer 1.1.1.1 1.1.1.2

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.2 type ipsec-l2l

say 1.1.1.1 and 1.1.1.2 are the Primary and backup interface ip addresses.

Make sure you have dpd enabled on devices.

aarti

New Member

Re: VPN with backup ISP connections

Thank you for that.

What if there are backup connections at each site?

e.g

Remote Site - isp connections (say) 1.1.1.1 & 1.1.1.2

Main Office - 2.1.1.1.1 2.1.1.2

As I understand it you can set multiple peers on orignate only connections and not answers.

So.

Set up would work

Remote Site - Using 1.1.1.1 as the ISP (primary connection) - you could set up 2.1.1.1 2.1.1.2 as the peer (as your example)

But.. if 1.1.1.1 goes down and switched across to 1.1.1.2 the main office will not answer as it see it coming from the wrong ip address. Is that correct?

So how do I get this to work so that the VPN still works if it comes from 1.1.1.1 or 1.1.1.2?

311
Views
0
Helpful
2
Replies