Site-to-Site VPN as secondary route

__AlexXx__ · ‎01-22-2019

Hi everyone,

I need to set up a site-to-site VPN between Main and Branch Office.

These sites have a Lan-to-Lan, so the new vpn will be a backup.

I already created the cli code, but how to set it as secondary? Is there a way to configure metric?

Thanks

Marvin Rhoads · ‎01-23-2019

Is the existing "Lan-to-Lan" a VPN connection?

If so, and it's using IKEv1 IPsec, all you need is to define both the primary (x.x.x.x) backup peer (y.y.y.y) - e.g.: "set peer x.x.x.x y.y.y.y" to fall back to the second peer.

If your needs aren't met by that, there is a more complex method described here:

https://learningnetwork.cisco.com/blogs/vip-perspectives/2018/07/27/cisco-asa-site-to-site-vpn-failover

__AlexXx__ · ‎01-23-2019

Tks for reply.

Lan to Lan is a layer 2 network between both sites.

The configuration of each Firewall is bellow: (changed IPs for security reasons)

ASA1:
!
interface GigabitEthernet1/1
nameif outside
security-level 0
pppoe client vpdn group DIALLER_MAIN
pppoe client route track 1
ip address pppoe setroute
!
interface GigabitEthernet1/2
nameif outside-1
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
route outside-1 192.168.2.0 255.255.255.0 10.10.10.2 1

ASA2:
!
interface GigabitEthernet1/1
nameif outside
security-level 0
pppoe client vpdn group DIALLER_BRANCH
pppoe client route track 1
ip address pppoe setroute
!
interface GigabitEthernet1/2
nameif outside-1
security-level 100
ip address 10.10.10.2 255.255.255.0
!
interface GigabitEthernet1/3
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
route outside-1 192.168.1.0 255.255.255.0 10.10.10.1 1

ASA1 (COMMAND CREATED FOR IPSEC):
!
object network 192.168.2.0-remote_network
subnet 192.168.2.0 255.255.255.0
object network 192.168.1.0-inside_network
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) source static 192.168.1.0-inside_network 192.168.1.0-inside_network
destination static 192.168.2.0-remote_network 192.168.2.0-remote_network
no-proxy-arp route-lookup
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *Password*
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ipsec ikev1 transform-set tset esp-aes-256 esp-sha-hmac
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ikev1 enable outside

ASA2 (COMMAND CREATED FOR IPSEC):
!
object network 192.168.1.0-remote_network
subnet 192.168.1.0 255.255.255.0
object network 192.168.2.0-inside_network
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) source static 192.168.2.0-inside_network 192.168.2.0-inside_network
destination static 192.168.1.0-remote_network 192.168.1.0-remote_network
no-proxy-arp route-lookup
tunnel-group 172.16.2.1 type ipsec-l2l
tunnel-group 172.16.2.1 ipsec-attributes
ikev1 pre-shared-key *Password*
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
access-list outside_cryptomap extended permit ip object 192.168.2.0-inside_network object 192.168.1.0-remote_network
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 172.16.2.1
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto ikev1 enable outside