topic Dual ISP with IPSecVPN in Network Security

Dual ISP with IPSecVPN

santiago.jem — Mon, 11 Mar 2019 23:44:57 GMT

Hi Experts,

I've been doing some research on how to configure an ASA with Dual ISP with IPSec Tunnel going to HQ.

Here is the outline that I think I need I may need to do.

1. Configure the Redundant Link, which led me to this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Fair enough, I was able to grasps the concept on the above link.

2. Configure VPN with HQ_ASA. This seems to be the tough part.

What I would like to do is that Primary Link (15 Mbps DSL) will form VPN Peer with HQ when it is UP (used tracking as stated above).

When the Primary Link fails Secondary Link (5 Mbps DSL) will form a New VPN Peer with HQ

On both instances, the HQ_VPN Peer will have the same IP Address.

Looking forward for your response guys.

Thank you.

Dual ISP with IPSecVPN

Julio Carvajal — Tue, 21 Aug 2012 23:19:33 GMT

Hello Jemel,

You will need to configure to crypto maps on the other site as you cannot use the same Ip address because each interface as you know its on it's own broadcast domain.

On site A configure SLA, and 2 crypto maps one on each interface

On site B configure 2 crypto map one for interface A ( the active ) and one for interface B ( The secondary )

Regards,

Julio

Dual ISP with IPSecVPN

santiago.jem — Tue, 21 Aug 2012 23:46:47 GMT

Thanks Julio.

This seems to be feasible. Do you happen to know other documentation for implementing such?

I've been actually working on 5510s just a little over 4 months and man, this is intense!

Regards,

Jemel

Dual ISP with IPSecVPN

Julio Carvajal — Wed, 22 Aug 2012 00:50:06 GMT

Hello Jemel,

Yes, I understand what you mean but no I have not seen any documents related to this but I could help if required.

Again on site A just configure the normal stuff ( 2 interfaces, the SLA stuff, create 2 crypto maps and apply one in the primary interface and the other one on the secondary)

On site B just create 2 crypto maps ( One will set the peer to be the ASA1 Primary link, The second one will be the ASA1 Secondary link) Isakmp will try to communicate to both interfaces but as only one is active only one tunnel will be generated

Let me know if I was clear enough, if not do not worry just let me know and I will be more than glad to help you

Regards,

Julio

Rate all the helpful posts

Dual ISP with IPSecVPN

santiago.jem — Wed, 22 Aug 2012 00:58:18 GMT

Thanks Julio.

This has been very helpful. I am on the right track with this.

Regards,

Jemel

Dual ISP with IPSecVPN

santiago.jem — Thu, 23 Aug 2012 09:48:30 GMT

Hi Julio,

I haven't implemented this yet, doing a little testing using gns3.

It came to me, what will happen the NAT configurations I have?

It seems that the protected networks, (siteA inside network and siteB inside network) will likely be OK.

What about the other traffic like internet traffic? How will it be NATed?

Thank you.

Regards,

Jemel

Dual ISP with IPSecVPN

Julio Carvajal — Thu, 23 Aug 2012 16:31:14 GMT

Hello,

On site A you will need to create nat for the primary and the secondary link, just in case the primary goes down.

So you will be natted to the primary as soon as it's up

Regards,

Dual ISP with IPSecVPN

juan-ruiz — Thu, 23 Aug 2012 16:43:16 GMT

Santiago,

According to your diagram HQ only has one link to the internet is this correct?

If so then you should only need one crypto map applied to the outside interface and specify two peers on the crypto map statement, peer 1 15 mbps ISP, peer 2 5 mbps ISP.

Julio, please correct me if I’m wrong or if we can configure two crypto maps to the same interface.

Thanks,

Juan

Dual ISP with IPSecVPN

Julio Carvajal — Thu, 23 Aug 2012 17:00:34 GMT

Hello Juan Ruiz,

You can only have one crypto map on each interface but each of the crypto map can have more than one entry ( so you will set 2 peers,etc)

Regards,

Julio

Dual ISP with IPSecVPN

santiago.jem — Thu, 23 Aug 2012 22:17:28 GMT

Hi Julio,

That's understood, so there will be 2 NAT entries, one for each interface whichever is active.

Hi Juan,

Yes, I came across the same scenario. It also mentioned just having to create 1 crypto map with 2 peers in it.

https://supportforums.cisco.com/thread/2060152

I'm planning to implement this though and the other as suggested by Julio.

Thanks.

Dual ISP with IPSecVPN

Julio Carvajal — Fri, 24 Aug 2012 03:25:57 GMT

Hello

Correct Santiago

Remember to rate all the helpful posts

Dual ISP with IPSecVPN

santiago.jem — Sat, 25 Aug 2012 03:58:46 GMT

I've actually tried and implemented the project but there seem to be an issue.

There was nothing that was configured on the:

Configuration > Device Setup > Routing > Static Routes

But, when I checked on the device, and tried show route there's seem to be an entry in the routing table:

ciscoasa# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is x.x.x.x to network 0.0.0.0

C a.a.a.a 255.255.255.0 is directly connected, inside

C x.x.x.x 255.255.255.248 is directly connected, outside

d* 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, outside

ciscoasa#

May I know why is it that the new interface that I added which is PPPoE is not listed as CONNECTED?

And also, what caused the default route to be d*?

Hoping to here from you soon.

Thank you.

Dual ISP with IPSecVPN

Julio Carvajal — Sat, 25 Aug 2012 04:19:39 GMT

Hello Jemel,

If the interface is up, you should see the network directly connected.

RIght now looks like the ASA does not have the interface properly configured. if you do a sh interface ip brief what is the status of the interface?

Dual ISP with IPSecVPN

Julio Carvajal — Sat, 25 Aug 2012 17:23:15 GMT

Hello Jemel,

Are you using the protocol IKEV2 or is that your intention?

I mean looks like you are using IKEv1, I think you are referring to phase 2 (Ipsec).

The problem you are having now it's because of the configuration between both sides.

Please do the following

-Check the Diffie-Hellman group on each side

-Check that both sides has a pre-shared key configured ( On router B you need to have 2, one for each peer)

Regards,

Julio

Remember to rate all the helpful posts

Dual ISP with IPSecVPN

santiago.jem — Sun, 26 Aug 2012 22:19:45 GMT

Hi Julio,

I've checked on the DH, and both sides are on Group 2.

I will check on the pre-shared key if both sides are correct.

Thanks.

Dual ISP with IPSecVPN

NAGISWAREN2 — Mon, 27 Aug 2012 04:13:45 GMT

Hi Jemel,

I have similar setup in real world. Below is the config

in HQ

1) Under main crypto map , just add seconday IP of Branch WAN2

crypto map Outside_map 1 set peer x.x.x.x y.y.y.y

x.x.x.x = Branch Primary WAN IP
y.y.y.y = Branch Secondary WAN IP

2) Create a Tunnel-group for backup peer

tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
 pre-shared-key try123
in Branch

1) Just apply crypto map to backup interface.


crypto map Outside_map interface backup_wan

Dual ISP with IPSecVPN

Julio Carvajal — Mon, 27 Aug 2012 04:37:20 GMT

Hello Jemel,

Sure.. Keep me posted

do a more system:running-config | begin tunnel-group

in order to check them on clear text.

Regards,

Julio

Rate all the helpful posts

Dual ISP with IPSecVPN

santiago.jem — Mon, 27 Aug 2012 05:50:13 GMT

Hello Waren,

Thanks! Will give this a try tomorrow.

I'm currently using 8.4 ASA so there might be a little difference.

With HQ, do I need to configure the Group Policy?

Should it also have the same Group Policy as the primary Peer?

Dual ISP with IPSecVPN

NAGISWAREN2 — Mon, 27 Aug 2012 05:54:38 GMT

Hi Jemel,

By right, there is no need to configure Group Policy, Just adding the Tunnel-group / backup peer ip will do. It will work for 8.2/8.3/8.4

Dual ISP with IPSecVPN

santiago.jem — Mon, 27 Aug 2012 06:03:30 GMT

Thanks Waren.

Hope the vpn tunnel will work after this configuration changes.

Will update you if it does.

Thank you.

Regards,

Jemel