Re: How can I redundant IPSEC VPN?

JUNHOLEE95720 · ‎10-20-2019

I'm using the ASA 5516.

ASA and ASA are connected on a dedicated line, and two lines in different bands are connected to the ASA interface.

I would like to use IPSEC VPN and will use IKE V2.

What I'm curious about here is that if Line 1 loses its VPN connection, I'd like to automatically enable Line 2's VPN connection

What else do I need to allocate two Peer IPs?

Do I need additional ACL or Routing settings?
Tell me what you need to be able to be a failover naturally. I beg you.

Thanks

Deepak Kumar · ‎10-20-2019

Hi,

Here is a good configuration example:

http://www.techspacekh.com/configuring-fail-over-ipsec-site-to-site-vpn-with-dual-wan-links-and-ip-sla-on-cisco-asa-firewall-9-x/

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Afolarin Omole · ‎10-21-2019

Hello ,

Can you let us know if the 2 ASA is in HA mode or they are not . I have asked this because there is different ways to address these two type of setup .

In HA mode , you can control IPSEC VPN via the crypto-map command , just by stating the redundant ip address after the first preferred peer : ( Crypto-map ABC peer a.a.a.a b.b.b.b where a is the first peer and b the second standby ASA ).
If they are not in HA mode , it is what influence this via tracking , and once connectivity is lost the second link will start negotiating ( there is downtime to be consider in this case)

Whilst considering the downtime in place on the second set up, it's worth to know that in HA mode , standby peer as already finished it own negotiation but the only clause is traffic is not passing through the tunnel until the active peer deny traffic in down state.

Let me know if this help your understanding.