cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

303
Views
5
Helpful
2
Replies
Highlighted
Beginner

Site-to-Site VPN as secondary route

Hi everyone,

 

I need to set up a site-to-site VPN between Main and Branch Office.

These sites have a Lan-to-Lan, so the new vpn will be a backup.

 

I already created the cli code, but how to set it as secondary? Is there a way to configure metric?

 

Thanks

 

Everyone's tags (4)
2 REPLIES 2
Highlighted
Hall of Fame Guru

Re: Site-to-Site VPN as secondary route

Is the existing "Lan-to-Lan" a VPN connection?

 

If so, and it's using IKEv1 IPsec, all you need is to define both the primary (x.x.x.x) backup peer (y.y.y.y) - e.g.: "set peer x.x.x.x y.y.y.y" to fall back to the second peer. 

 

If your needs aren't met by that, there is a more complex method described here:

 

https://learningnetwork.cisco.com/blogs/vip-perspectives/2018/07/27/cisco-asa-site-to-site-vpn-failover

Highlighted
Beginner

Re: Site-to-Site VPN as secondary route

Tks for reply.

Lan to Lan is a layer 2 network between both sites.

 

The configuration of each Firewall is bellow: (changed IPs for security reasons)

 

ASA1:
!
interface GigabitEthernet1/1
nameif outside
security-level 0
pppoe client vpdn group DIALLER_MAIN
pppoe client route track 1
ip address pppoe setroute
!
interface GigabitEthernet1/2
nameif outside-1
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 
!
route outside-1 192.168.2.0 255.255.255.0 10.10.10.2 1


ASA2:
!
interface GigabitEthernet1/1
nameif outside
security-level 0
pppoe client vpdn group DIALLER_BRANCH
pppoe client route track 1
ip address pppoe setroute 
!
interface GigabitEthernet1/2
nameif outside-1
security-level 100
ip address 10.10.10.2 255.255.255.0 
!
interface GigabitEthernet1/3
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0 
!
route outside-1 192.168.1.0 255.255.255.0 10.10.10.1 1

 

ASA1 (COMMAND CREATED FOR IPSEC):
!
object network 192.168.2.0-remote_network
subnet 192.168.2.0 255.255.255.0
object network 192.168.1.0-inside_network
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) source static 192.168.1.0-inside_network 192.168.1.0-inside_network
destination static 192.168.2.0-remote_network 192.168.2.0-remote_network 
no-proxy-arp route-lookup
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *Password*
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400 
crypto ipsec ikev1 transform-set tset esp-aes-256 esp-sha-hmac 
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside 
crypto ikev1 enable outside

 

ASA2 (COMMAND CREATED FOR IPSEC):
!
object network 192.168.1.0-remote_network
subnet 192.168.1.0 255.255.255.0
object network 192.168.2.0-inside_network
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) source static 192.168.2.0-inside_network 192.168.2.0-inside_network
destination static 192.168.1.0-remote_network 192.168.1.0-remote_network 
no-proxy-arp route-lookup
tunnel-group 172.16.2.1 type ipsec-l2l
tunnel-group 172.16.2.1 ipsec-attributes
ikev1 pre-shared-key *Password*
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
access-list outside_cryptomap extended permit ip object 192.168.2.0-inside_network object 192.168.1.0-remote_network 
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 172.16.2.1
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA 
crypto map outside_map interface outside 
crypto ikev1 enable outside