cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


330
Views
5
Helpful
2
Replies
Highlighted
Beginner

ASA 5545 Site to site VPN - IKEv2 would it be possible to configure primary and secondary peers?

Hi

We have a requirement to set up a s2s VPN tunnel with a third-party. Our firewall is ASA 5545 and they use Forcepoint.They have a primary peer and a secondary peer and they want us to use IKEv2 and configure it policy based than route based. Would this be possible to have primary and secondary peer on IKEv2 policy based configuration?


TIA

Everyone's tags (5)
2 REPLIES 2
Beginner

Re: ASA 5545 Site to site VPN - IKEv2 would it be possible to configure primary and secondary peers?

Yes it certainly is,

 

You Simply Specify All the Peers in your Cryptomap:

Then create a tunnel-group for each peer,

 

ASA(config)#crypto map CRYPTO-MAP 1 set peer 1.1.1.1 2.2.2.2 3.3.3.3
ASA(config)# tunnel-group 1.1.1.1 type ipsec-l2l
ASA(config)# tunnel-group 1.1.1.1 ipsec-attributes
ASA(config-tunnel-ipsec)# pre-shared-key 1234567890

 

ASA(config)# tunnel-group 2.2.2.2 type ipsec-l2l
ASA(config)# tunnel-group 2.2.2.2 ipsec-attributes
ASA(config-tunnel-ipsec)# pre-shared-key 1234567890
ASA(config)# tunnel-group 3.3.3.3 type ipsec-l2l
ASA(config)# tunnel-group 3.3.3.3 ipsec-attributes
ASA(config-tunnel-ipsec)# pre-shared-key 1234567890

Please rate if helpfull :D

Hall of Fame Master

Re: ASA 5545 Site to site VPN - IKEv2 would it be possible to configure primary and secondary peers?

The suggested config looks more like IKEv1 than IKEv2 as asked by the original poster. But I believe that the suggested approach of specifying multiple peer addresses in the crypto map, and configuring multiple tunnels would work for IKEv2 as well as for IKEv1.

 

HTH

 

Rick