Cisco Community
English
Register
Community will be in Read-only Mode (you will not be able to login) from April 11 at 11:00 PM PT to Monday April 12 at 9:00 PM PT - READ DETAILS HERE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1473
Views
5
Helpful
5
Replies
Jaro
Beginner
Beginner
‎06-06-2019 05:26 AM
‎06-06-2019 05:26 AM

Backup IPsec Tunnel

Hi All, 

 

our customer have a two IP providers with different Public IPs, on our site there is only one public IP address.

We have already configured one IPSec S2S VPN with 1st Provider.

 

Question is if is possible to configure second IPSec S2S backup VPN connection with 2nd Provider to different public IP with same encryption domains.

 

I have already found some article regarding backup L2L feature, but it can be used for two ASAs only, but on our customer site there is some basic device from another vendor.

 

Thank you

Labels:
1 person had this problem
0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
Pablo
Cisco Employee
Cisco Employee
‎06-07-2019 04:41 PM
‎06-07-2019 04:41 PM

Yes that's possible, the peer is added as a backup peer on the crypto map:

  • Create a new tunnel-group with the IP for your customer's 2n provider, configure the PSK or set the RSA cert.
  • Add the second public IP right next to the existing peer "crypto map <name> # set peer <ISP1> <ISP2>".

*The tunnel will be active only with one of the 'peers' at a time, DPD is used to track peer aliveness.

HTH.

Pablo

View solution in original post

5 REPLIES 5
balaji.bandi
VIP Expert VIP Expert
VIP Expert
‎06-06-2019 05:38 AM
‎06-06-2019 05:38 AM

Not that aware of this solution possible at this stage. how is 2 ISP provider terminating connection to you ?



BB


*** Rate All Helpful Responses ***

0 Helpful
Pablo
Cisco Employee
Cisco Employee
‎06-07-2019 04:41 PM
‎06-07-2019 04:41 PM

Yes that's possible, the peer is added as a backup peer on the crypto map:

  • Create a new tunnel-group with the IP for your customer's 2n provider, configure the PSK or set the RSA cert.
  • Add the second public IP right next to the existing peer "crypto map <name> # set peer <ISP1> <ISP2>".

*The tunnel will be active only with one of the 'peers' at a time, DPD is used to track peer aliveness.

HTH.

Pablo

View solution in original post

Jaro
Beginner
Beginner
In response to Pablo
‎06-12-2019 02:36 AM
‎06-12-2019 02:36 AM

Hi Pablo,

 

Thanks for answer, I have already configured it, but I did not test it so, when I will test it I will let you know, if it works properly.

 

Thank you

0 Helpful
Jaro
Beginner
Beginner
In response to Pablo
‎07-24-2019 12:51 AM
‎07-24-2019 12:51 AM

Hi Pablo,

 

thanks for help, do you maybe have som article, because I have already checked it, and it works, but I do not know how it works after swithch to backup peer and back to primary peer.

 

Thank you

0 Helpful
Pablo
Cisco Employee
Cisco Employee
In response to Jaro
‎07-24-2019 11:03 AM
‎07-24-2019 11:03 AM

Hi Jaro,

DPD is the one doing the trick on your side.

Here you can find more information about this feature, it's based on IOS but it's the same logic for the ASA:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/12-4/sec-ipsec-data-plane-12-4-book/sec-ipsec-dead-peer.html

HTH

Pablo

0 Helpful
Latest Contents
Email Security - QuoVadis Root Certificate Decommission Migh...
Created by dmccabej on 03-30-2021 09:32 AM
0
0
0
0
Problem Description For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b... view more
ISE REST APIs Webinar: April 6/7, 2021
Created by thomas on 03-25-2021 07:57 PM
1
5
1
5
  Register Now Automation and programmability for networking and security are increasingly important topics. Every release since ISE 1.2 has included new REST API capabilities to better automate and integrate ISE with the rest of your network, appli... view more
FMT 2.3.4 adding ASA migrations of S2S VPN in public beta
Created by William_Hansch on 03-22-2021 08:00 AM
0
10
0
10
The latest iteration (v2.3.4) of the Cisco Secure Firewall Migration Tool adds public beta support for S2S VPN migrations from ASA: Policy-based (crypto map) Pre-Shared key authentication type VPN configuration to Firepower Management Center VP... view more
What's New for Cisco Defense Orchestrator (CDO)
Created by Andrew Mallio on 03-22-2021 04:40 AM
1
40
1
40
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.  We make improvement... view more
ISE Data limiting best practices
Created by Jonathan Casillas on 03-18-2021 04:34 PM
0
5
0
5
Intro This document presents the ISE data limiting best practices that can dramatically improve the system performance on ISE. Symptoms Your deployment may be impacted if the alarms tab on ISE shows High load average, high CPU or high memoy usage alarm... view more
Content for Community-Ad