cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
760
Views
0
Helpful
7
Replies

Multiple Site to site VPNs with same intersting traffic (HA vpn)

bobbythomas
Level 1
Level 1

Hi All, I am trying to setup two site to site vpn to 2 ASA's from a common single router such that the ASA's represent different branches. But what I want to accomplish is to setup a vpn to both these branch asa's from a router such that the interesting traffic is same for both, ie, I want to know how I can set up this tunnel using sla monitor such that when one ISP goes down the router or ASA establish the tunnel automatically to the other vpn peer. When I tried configuring multiple vpn peers in crypto map, vpn is only being established to the first one in the peer list. Is it possible to implement this vpn HA solution? Tried searching for similar setup but couldn't find one. Appreciate your suggestions. Regards, Bobby

7 Replies 7

Hi,

you are going to right direction, " vpn is only being established to the first one in the peer list." when it is not available, the second will work.

one option is available on router side:

use Loopback address of router as peer address on ASA but this ip should be route-able on ISP. Using this command:

Crypto map MYMAP local-address loopback 0  10 ipsec-isakmp

"HTH"

Hi Kazim,

Appreciate your response. I have added the topology diagram. What I am trying to achieve is a backup vpn. Consider R6 as an ISP cloud, I have already setup a VPN between ASA1 and R1, but I want to create a standby VPN to ASA3 from R1 in the instance ASA1 link to R1 fails. I have configured SLA route tracking to route through ASA3 in case of a link failure. But I am not able to bring up the second tunnel as router is not initiating the vpn tunnel to the ASA3 even though its been added in the vpn peer list (as the second peer), but even when the link is down it is only trying to establish vpn to the first peer in the list. I want to know how I can do this using the current setup, by the by vpn access-list (interesting traffic) is the traffic from R1 loopback interfaces (lo10 and lo20) to R5 loopback interface (lo30 and lo40), ie, 10.10.10.1/20.20.20.1 to 30.30.30.1/40.40.40.1 and vice versa. Assigning a public IP to a loopback interface is not an option. Any other suggestions?

Thank you,

Bobby

Hi,

please send initial config for this setup, specially vpn

regards,

kazim

Hi Kazim and Marius,

 

Thank you guys for your suggestion, I got it working. I will provide the config if anyone needs.

 

Regards,

Bobby Thomas.

Hi bobby,

 

please send your config, i am curious about it, how it works?

Regards,

kazim

Kazim,

I am uploading the config. The only changes are that the R2 in the config stands for the R6 in the topology diagram and ASA2 as for ASA3 in topology.

Regards,

Bobby.

this will be quite tricky...unless you have the ASAs in a Active/Standby failover setup.  some creative IP SLA tracking config will be needed on both R1 and R5, and routing will need to be taken into account because if you have two default routes on R5 you need to ensure that the tracking ICMP traffic selects the correct path and not loadbalances over the two links.

Any chance you can set up the ASAs in active/standby failover?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: