Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1571
Views
0
Helpful
3
Replies

ASA-2-ASA Dual ISP ikev2 possibility

Go to solution
mgommel
Level 1
Level 1

‎06-27-2018 04:47 AM - edited ‎03-12-2019 05:24 AM

Hi everyone,

 

I wanted to post a question to community in search for assistance/feedback on the possibility of setting up dual VPNs between 2 ASAs while using IKEv2.  I've read that it can work using VTI AND that all ISPs are using static IPs.  Is this true?  My situation is that we will be placing dual ISPs at our Hub (ISP1 is a shared internet connection not only used for the VPN to the Spoke; while ISP2 will ONLY be used as a backup connection to the Spoke - no other traffic will go across this connection).  My HUB firewall is a Cisco ASA 5525 running version 9.9(1) and my Spoke will be a Cisco ASA 5506-X running 9.9(2).

 

In summary, what we'd like to do is from the HUB, have ISP 1 be the primary, and ISP 2 as the dedicated backup to the Spoke.  On the Spoke side, have ISP 3 be the primary and ISP 4 as the backup.

 

Has anyone been able to setup the pictured scenario (attached) using IKEv2, or am I only able to use IKEv1?  I would like to stay away from using the DefaultL2LGroup if at all possible.  Thanks for any help/guidance!

Labels:
Preview file
38 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Pawan Raut
Level 4
Level 4

‎06-27-2018 08:21 PM

This scenario can be possible but you have to make sure that you should have auto failover mechanism from primary to secondary when primary ISP is down at any location.

 

Please let me know if you need any more help like configuration assistance and if you want to test it in Lab. I am happy to do that.

 

Kindly rate for useful post

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Pawan Raut
Level 4
Level 4

‎06-27-2018 08:21 PM

This scenario can be possible but you have to make sure that you should have auto failover mechanism from primary to secondary when primary ISP is down at any location.

 

Please let me know if you need any more help like configuration assistance and if you want to test it in Lab. I am happy to do that.

 

Kindly rate for useful post

0 Helpful

Go to solution
mgommel
Level 1
Level 1
In response to Pawan Raut

‎06-29-2018 05:53 AM

Hi Pawan,

 

Thanks for the offer.  I did a lot of convincing to upper management to use Static IP addressing, so this is no longer a concern for me as I know it can be done without issue using Static IPs.  Thanks again!

0 Helpful

Go to solution
twc-admin
Level 1
Level 1
In response to Pawan Raut

‎08-16-2019 10:47 AM

Do you know what the configuration looks like from an ASA/FTD standpoint?  I'm very familiar with setting up s2s vpn using ikev1, but we are moving to ikev2 for the additional security/performance aspects of it.  All of our sites have dual ISPs.  With Ikev1 you have the ability to add secondary IP directly into the crypto map set peer.  

My first thought would be for IKEv2 that you just need to create two separate crypto maps, crypto map 1 pointing to the peers primary ISP and crypto map 2 pointing to the peers secondary ISP.  Have you done this and is this how its accomplished?

0 Helpful
Customers Also Viewed These Support Documents