Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1841
Views
0
Helpful
4
Replies

ASA IKEv2 VPN configuration - remote office to branch HQ with multihomed links?

Go to solution
mrjdh
Level 1
Level 1

‎10-06-2019 01:41 PM - edited ‎02-21-2020 09:33 AM

How do I go about configuring the crypto map for an IKEv2 VPN, on a remote office, which connects back to an ASA behind an edge router with 3 multihomed links?

I've read lots saying that each of the 3 addresses could be added to the 'set peer' command, but this doesn't seem to be possible for IKEv2 VPNs?

 

Also, what is the behaviour in the VPN being established when one of the 3 outbound links on the edge router fails? On the edge router, there are 3 static default routes configured, with AD preferences, which are then monitored with IP SLAs and tracking objects. My NAT statements on the edge router use route maps, and so NAT redundancy is catered for regardless of which outbound link is being used.

 

My question is, how does this affect the VPN?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
bhargavdesai
Spotlight
Spotlight

‎10-07-2019 12:09 AM

As you mentioned IKEv2 does not allow multiple peer. Bug reference https://tools.cisco.com/bugsearch/bug/CSCud22276
I am not sure it is till been resolved.

I would suggest you to use VTI based (Route based) configuration (if supported by your ASA version) if you want to use IKEv2 with Multiple links. Ref. https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-vti.pdf


HTH
### RATE ALL HELPFUL RESPONSES ###

View solution in original post

0 Helpful
4 Replies 4

Go to solution
bhargavdesai
Spotlight
Spotlight

‎10-07-2019 12:09 AM

As you mentioned IKEv2 does not allow multiple peer. Bug reference https://tools.cisco.com/bugsearch/bug/CSCud22276
I am not sure it is till been resolved.

I would suggest you to use VTI based (Route based) configuration (if supported by your ASA version) if you want to use IKEv2 with Multiple links. Ref. https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-vti.pdf


HTH
### RATE ALL HELPFUL RESPONSES ###
0 Helpful

Go to solution
mrjdh
Level 1
Level 1
In response to bhargavdesai

‎10-07-2019 05:55 AM

Hi Bhargavdesai,

 

Thank you for the reply. I had no idea it was possible to use VTI with an ASA, I only thought it was available for routers.

 

I'm using ASAv in GNS3 - before I get chance to try, do you know if it's supported?

 

Thanks again.

0 Helpful

Go to solution
bhargavdesai
Spotlight
Spotlight
In response to mrjdh

‎10-07-2019 07:20 AM

What version of ASAv you are using? GNS3 will support VTI based VPN setup.
I think starting from version 9.7 or may be 9.8 support VTI configuration.

I am still waiting for your response on earlier VPN query. Pulling hair out - ASA S2S IPSec VPN behind NAT router.

Even I am learning on virtual platform but I am using EVE-NG against GNS3. I would love to collaborate and contribute with you on your different setup and scenarios.


HTH
### RATE ALL HELPFUL RESPONSES ###

0 Helpful

Go to solution
mrjdh
Level 1
Level 1
In response to bhargavdesai

‎10-07-2019 02:40 PM

The VTI setup has worked without issue! Thank you very much for your help.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card