cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1062
Views
0
Helpful
6
Replies

setting up redundant IP sec tunnel between ASAs

Tats0611
Level 1
Level 1

Hello everyone,

I am pretty new to the network world and I would like to get some help.

 

I would like to set up a redundancy IP sec tunnels between HQ and Branch office.

Both sites have ASA and HQ has 2 outside interfaces that connect to ISP1 and ISP2.

Branch office will have one interface that connects to ISP3.

 

scenario that I am thinking is that when HQ's primary connection fails, HQ's secondary connection and Branch office's will establish IPSEC tunnel.

 

HQ ASA config

This is the config for the primary interface:

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 76.1.1.2
crypto map outside_map 1 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map interface outside

 

This is for the secondary interface:
crypto map outside-backup_map 1 match address outside_1_cryptomap
crypto map outside-backup_map 1 set pfs group5
crypto map outside-backup_map 1 set peer 76.1.1.2
crypto map outside-backup_map 1 set ikev1 transform-set ESP-AES-SHA
crypto map outside-backup_map 1 set security-association lifetime seconds 3600
crypto map outside-backup_map interface outside-backup

 

crypto ikev1 enable outside-backup
crypto ikev1 enable outside
crypto ikev1 policy 10

 

tunnel-group 76.1.1.2 type ipsec-l2l
tunnel-group 76.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****

 

 

Branch office config

This config is for the primary interface of HQ ASA:

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 62.1.1.2
crypto map outside_map 1 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600

 

This config is for the secondary interface of HQ ASA:

crypto map outside_map 2 match address outside_1_cryptomap
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer 28.1.1.2
crypto map outside_map 2 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map 2 set security-association lifetime seconds 3600

 

tunnel-group 62.1.1.2 type ipsec-l2l
tunnel-group 62.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****

 

tunnel-group 28.1.1.2 type ipsec-l2l
tunnel-group 28.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****

 

It seems establishing the phase 2 tunnel fails because the primary crypto map config always matches with the traffic from inside of the branch office even though the HQ primary interface is down.

 

This is a debug message when initiating traffic from inside of the branch office.

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.81.30.51, sport=56208, daddr=10.1.20.51, dport=56208
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.

 

are there any ways to skip the first crypto map so the branch office will use the second crypto map to establish the phase 2 tunnel with the secondary interface of HQ ASA?

 

 

1 Accepted Solution

Accepted Solutions

The solution for this is that the remote has a single crypto map entry. That crypto map entry will have both head end addresses in the set peer statement. Using this the remote will negotiate the vpn with the first (primary) HQ ISP and bring up the vpn. If there is a failure of that vpn then the remote will negotiate with the second HQ ISP and bring up the backup vpn.

 

HTH

 

Rick

HTH

Rick

View solution in original post

6 Replies 6

fabiani
Level 1
Level 1

in the branch you need to configure only one tunnel with backup peer.

In headquarter you need to use routes to the branch through the primary interface with tracking and through the backup interface with a worst metric

Hi Fabiani,

 

Thanks for your comment.

 

the branch ASA has only 1 outside interface.

If I configure only one tunnel with the backup peer, HQ's primary outside interface will never be used.

 

for the routing, I will set up sla and tracking to failver.

 

The solution for this is that the remote has a single crypto map entry. That crypto map entry will have both head end addresses in the set peer statement. Using this the remote will negotiate the vpn with the first (primary) HQ ISP and bring up the vpn. If there is a failure of that vpn then the remote will negotiate with the second HQ ISP and bring up the backup vpn.

 

HTH

 

Rick

HTH

Rick

Thanks Richard,

 

I will try what you suggested and come to to you.

 

Regards,

Tats

Thanks Richard,

 

Your suggestion works perfect between ASAs.

I hope Meraki can do the same on a remote site as I need to set up failover between Meraki(Remote site) and ASA(HQ).

 

Best regards,

Tats

Tats

 

Thanks for the update letting us know that you have it working now. I am glad that my suggestion pointed you in the right direction. I am not expert on Meraki but I hope that it would support a similar solution. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

 

HTH

 

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: