topic Re: Single ASA connects to end point via 2 separate IKEv2 s2s tunnels in Network Security

Single ASA connects to end point via 2 separate IKEv2 s2s tunnels

Youreateapot418 — Sun, 12 Jan 2025 11:39:28 GMT

Like the title says, I am looking to setup a connection to an endpoint, but, with connectivity via 2 x IKEv2 tunnels (I've only even done single tunnels).

It appears to me that if we set them up in paralell, we would run into all sorts of NAT issues etc... (all same networks and setting, just 2 independent tunnels).

Tunnels will be in primary and secondary setup (i.e. only one used at a time).

When searching documents on it, I keep getting dragged into VPN client setups, I want site to site VPN tunnels.

Also, I have been advised this can be done in tunnels groups and crypto maps, but not sure how.

Any advice or links greatly appreciated.

Re: Single ASA connects to end point via 2 separate IKEv2 s2s tunnels

MHM Cisco World — Sun, 12 Jan 2025 11:43:29 GMT

You use VTI or policy based VPN?

MHM

Re: Single ASA connects to end point via 2 separate IKEv2 s2s tunnels

Youreateapot418 — Sun, 12 Jan 2025 11:49:45 GMT

I haven't tried anything, as I don't even know where to start.... like I mentioned, single tunnels, fine with.... two parallell, no idea?

Working in ASDM too, so not a CLI specialist on the ASA's.

Do I just setup 2x tunnels as normal and link them together with VTI or policy based VPN ?

Will have a look into those two points (never used them, again, new to ASA's, first time being asked to do anything complicated).

Re: Single ASA connects to end point via 2 separate IKEv2 s2s tunnels

MHM Cisco World — Sun, 12 Jan 2025 11:55:33 GMT

You need to use vti in both sides

And use BGP to prefer one path than other.

That all what you need

MHM

Re: Single ASA connects to end point via 2 separate IKEv2 s2s tunnels

Youreateapot418 — Sun, 12 Jan 2025 11:57:43 GMT

Looking at VTI.... this looks interesting... we use crypto maps.

So I basically build 2 tunnels normally using VTI, then I can just static route out to whichever tunnel and weight the primary so it's primarily selected?

Apologies again, all new to me, I don't even know the relevant terminology.

Re: Single ASA connects to end point via 2 separate IKEv2 s2s tunnels

Youreateapot418 — Sun, 12 Jan 2025 12:00:56 GMT

both replying at the same time 😄

Will look at the far end peering via BGP also (they currently don't)

When you meant VTI on both sides, it that between ASA and ISP1, then ASA and ISP2... or just configure on the ASA side for both tunnels?

Re: Single ASA connects to end point via 2 separate IKEv2 s2s tunnels

MHM Cisco World — Sun, 12 Jan 2025 12:01:43 GMT

You can use static route and weight it via one vti' but I prefer bgp it more fast and easy for failover if vti is down.

MHM

Re: Single ASA connects to end point via 2 separate IKEv2 s2s tunnels

MHM Cisco World — Sun, 12 Jan 2025 12:02:25 GMT

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212478-configure-asa-virtual-tunnel-interfaces.html

MHM

Re: Single ASA connects to end point via 2 separate IKEv2 s2s tunnels

Rob Ingram — Sun, 12 Jan 2025 12:08:14 GMT

@Youreateapot418 the most elegant solution is to use VTI's with a routing protocol, but you can achieve the samething using crypto maps. On the spoke you define two peers, when the primary tunnel fails the ASA will failover to the secondary tunnel.

crypto map CMAP 1 set peer <primary ip> <secondary ip>

If you wish to fail back to the primary VPN tunnel when it is backup, you can use preempt. https://integrate.uk.com/asa-vpn-preempt/

Re: Single ASA connects to end point via 2 separate IKEv2 s2s tunnels

Youreateapot418 — Sun, 12 Jan 2025 12:10:54 GMT

Thank you, will look into both options!

Also, thank you for the doc link !

Re: Single ASA connects to end point via 2 separate IKEv2 s2s tunnels

MHM Cisco World — Sun, 12 Jan 2025 12:13:08 GMT

Friend you are welcome

MHM

Re: Single ASA connects to end point via 2 separate IKEv2 s2s tunnels

Youreateapot418 — Sun, 12 Jan 2025 12:14:13 GMT

Thanks Rob, I will look into this also! I'll be kicking myself if it's as simple as building a second tunnel separately, and just adding the secondary IP into Tunnel 1's crypto map.

Re: Single ASA connects to end point via 2 separate IKEv2 s2s tunnels

Rob Ingram — Sun, 12 Jan 2025 12:24:35 GMT

@Youreateapot418 you don't build/configure a second tunnel, you add the secondary ip to the existing tunnel (on the spoke ASA). If the tunnel vis the primary goes down, it attempts to re-establish the tunnel but to the secondary IP.

You will also have the configure the routing on the DC side with the 2 ISP links, to failover routing if the primary link goes down.

Re: Single ASA connects to end point via 2 separate IKEv2 s2s tunnels

Youreateapot418 — Sun, 12 Jan 2025 12:35:46 GMT

ah!

can this tunnel have a different key also, or does it need to be the same? (there doesn't appear to be an option for this in ASDM, so probably have to do it at CLI level)

Re: Single ASA connects to end point via 2 separate IKEv2 s2s tunnels

Rob Ingram — Sun, 12 Jan 2025 12:49:18 GMT

@Youreateapot418 the DC side (the ASA with 2 ISPs) would still establish a tunnel to the same IP address of the spoke ASA (the ASA with 1 isp), so having different PSKs would not work in this scenario. Certificates are stronger if you are concerned about security.

Re: Single ASA connects to end point via 2 separate IKEv2 s2s tunnels

Youreateapot418 — Sun, 12 Jan 2025 12:58:53 GMT

That makes sense, and also makes sense as to why I don't see any further options in ASDM.

Thanks again @Rob Ingram & @MHM Cisco World ... will get onto labbing up the above solutions and see what works best with our setup.

Re: Single ASA connects to end point via 2 separate IKEv2 s2s tunnels

ccieexpert — Sun, 12 Jan 2025 18:50:10 GMT

if you establish two crypto map sequences, the 2nd one will never get matched, as it is a first match.. like others said you can define 2 peers on the same crypto map and it will detect failure and failover. To be honest, that is a bit clunky, and i would really suggest you take the time to do a VTI based - which is route based to failover. It is not that difficult. Ping here if you need help..