cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1559
Views
5
Helpful
5
Replies
Jaro
Beginner

Backup IPsec Tunnel

Hi All, 

 

our customer have a two IP providers with different Public IPs, on our site there is only one public IP address.

We have already configured one IPSec S2S VPN with 1st Provider.

 

Question is if is possible to configure second IPSec S2S backup VPN connection with 2nd Provider to different public IP with same encryption domains.

 

I have already found some article regarding backup L2L feature, but it can be used for two ASAs only, but on our customer site there is some basic device from another vendor.

 

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions
Pablo
Cisco Employee

Yes that's possible, the peer is added as a backup peer on the crypto map:

  • Create a new tunnel-group with the IP for your customer's 2n provider, configure the PSK or set the RSA cert.
  • Add the second public IP right next to the existing peer "crypto map <name> # set peer <ISP1> <ISP2>".

*The tunnel will be active only with one of the 'peers' at a time, DPD is used to track peer aliveness.

HTH.

Pablo

View solution in original post

5 REPLIES 5
balaji.bandi
VIP Expert

Not that aware of this solution possible at this stage. how is 2 ISP provider terminating connection to you ?



BB


*** Rate All Helpful Responses ***

Pablo
Cisco Employee

Yes that's possible, the peer is added as a backup peer on the crypto map:

  • Create a new tunnel-group with the IP for your customer's 2n provider, configure the PSK or set the RSA cert.
  • Add the second public IP right next to the existing peer "crypto map <name> # set peer <ISP1> <ISP2>".

*The tunnel will be active only with one of the 'peers' at a time, DPD is used to track peer aliveness.

HTH.

Pablo

View solution in original post

Hi Pablo,

 

Thanks for answer, I have already configured it, but I did not test it so, when I will test it I will let you know, if it works properly.

 

Thank you

Hi Pablo,

 

thanks for help, do you maybe have som article, because I have already checked it, and it works, but I do not know how it works after swithch to backup peer and back to primary peer.

 

Thank you

Pablo
Cisco Employee

Hi Jaro,

DPD is the one doing the trick on your side.

Here you can find more information about this feature, it's based on IOS but it's the same logic for the ASA:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/12-4/sec-ipsec-data-plane-12-4-book/sec-ipsec-dead-peer.html

HTH

Pablo

Content for Community-Ad