cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1842
Views
0
Helpful
4
Replies

ASA IKEv2 VPN configuration - remote office to branch HQ with multihomed links?

mrjdh
Level 1
Level 1

How do I go about configuring the crypto map for an IKEv2 VPN, on a remote office, which connects back to an ASA behind an edge router with 3 multihomed links?

I've read lots saying that each of the 3 addresses could be added to the 'set peer' command, but this doesn't seem to be possible for IKEv2 VPNs?

 

Also, what is the behaviour in the VPN being established when one of the 3 outbound links on the edge router fails? On the edge router, there are 3 static default routes configured, with AD preferences, which are then monitored with IP SLAs and tracking objects. My NAT statements on the edge router use route maps, and so NAT redundancy is catered for regardless of which outbound link is being used.

 

My question is, how does this affect the VPN?

1 Accepted Solution

Accepted Solutions

bhargavdesai
Spotlight
Spotlight
As you mentioned IKEv2 does not allow multiple peer. Bug reference https://tools.cisco.com/bugsearch/bug/CSCud22276
I am not sure it is till been resolved.

I would suggest you to use VTI based (Route based) configuration (if supported by your ASA version) if you want to use IKEv2 with Multiple links. Ref. https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-vti.pdf


HTH
### RATE ALL HELPFUL RESPONSES ###

View solution in original post

4 Replies 4

bhargavdesai
Spotlight
Spotlight
As you mentioned IKEv2 does not allow multiple peer. Bug reference https://tools.cisco.com/bugsearch/bug/CSCud22276
I am not sure it is till been resolved.

I would suggest you to use VTI based (Route based) configuration (if supported by your ASA version) if you want to use IKEv2 with Multiple links. Ref. https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-vti.pdf


HTH
### RATE ALL HELPFUL RESPONSES ###

Hi Bhargavdesai,

 

Thank you for the reply. I had no idea it was possible to use VTI with an ASA, I only thought it was available for routers.

 

I'm using ASAv in GNS3 - before I get chance to try, do you know if it's supported?

 

Thanks again.

What version of ASAv you are using? GNS3 will support VTI based VPN setup.
I think starting from version 9.7 or may be 9.8 support VTI configuration.

I am still waiting for your response on earlier VPN query. Pulling hair out - ASA S2S IPSec VPN behind NAT router.

Even I am learning on virtual platform but I am using EVE-NG against GNS3. I would love to collaborate and contribute with you on your different setup and scenarios.


HTH
### RATE ALL HELPFUL RESPONSES ###

The VTI setup has worked without issue! Thank you very much for your help.
Review Cisco Networking for a $25 gift card