ASA 5545 Site to site VPN - IKEv2 would it be possible to configure primary and secondary peers?

moon_blue69 · ‎08-06-2019

Hi

We have a requirement to set up a s2s VPN tunnel with a third-party. Our firewall is ASA 5545 and they use Forcepoint.They have a primary peer and a secondary peer and they want us to use IKEv2 and configure it policy based than route based. Would this be possible to have primary and secondary peer on IKEv2 policy based configuration?

TIA

steven_dolan7 · ‎08-09-2019

Yes it certainly is,

You Simply Specify All the Peers in your Cryptomap:

Then create a tunnel-group for each peer,

ASA(config)#crypto map CRYPTO-MAP 1 set peer 1.1.1.1 2.2.2.2 3.3.3.3

ASA(config)# tunnel-group 1.1.1.1 type ipsec-l2l
ASA(config)# tunnel-group 1.1.1.1 ipsec-attributes
ASA(config-tunnel-ipsec)# pre-shared-key 1234567890

ASA(config)# tunnel-group 2.2.2.2 type ipsec-l2l
ASA(config)# tunnel-group 2.2.2.2 ipsec-attributes
ASA(config-tunnel-ipsec)# pre-shared-key 1234567890

ASA(config)# tunnel-group 3.3.3.3 type ipsec-l2l
ASA(config)# tunnel-group 3.3.3.3 ipsec-attributes
ASA(config-tunnel-ipsec)# pre-shared-key 1234567890

Please rate if helpfull :D

Richard Burts · ‎08-09-2019

The suggested config looks more like IKEv1 than IKEv2 as asked by the original poster. But I believe that the suggested approach of specifying multiple peer addresses in the crypto map, and configuring multiple tunnels would work for IKEv2 as well as for IKEv1.

HTH

Rick

HTH

Rick