Backup site-to-site VPN configuration

sdavis · ‎07-26-2012

I have a client with dual ISP connections, one on a 10Mb connection and the other on a backup link that is only a T1.

The client has multiple sites with this identical configuration. The T1 is setup as a backup default route within the ASA's at each location.

Currently they has multiple site-to-site VPN's at each of the locations configured on the 10Mb connection. One of these site-to-sites connects the two offices in question. What is the best way to ensure that we maintain VPN connectivity between the sites in the event of a failure of the 10Mb connection at one of the two locations?

I believe I need to setup an additional crypto map for the Interface connected to the T1 "T1-Interface" and then reference both remote IP's in the "set peer" statements of the two crypto maps.

So, for example:

Site A

Interface Outside

IP Address 1.1.1.1 255.255.255.252

interface Backup-T1

Ip Address 2.2.2.1 255.255.255.252

Interface Inside

Ip address 10.10.1.1 255.255.255.0

route Outside 0.0.0.0 0.0.0.0 1.1.1.2 1 track 1 (Used to verify that the default route is present & if not present activates the Backup-T1 route

route Backup-T1 0.0.0.0 0.0.0.0 2.2.2.2 254 additional config steps for this are ommitted for brevity)

crypto map outside_map 1 match address office_b_inside_acl

crypto map outside_map 1 set peer 3.3.3.1 4.4.4.1

crypto map outside_map 2 match address additional_l2l_acl

crypto map outside_map 2 set peer "additional location ip"

crypto map oustide_map interface Outside

crypto map backupT1_map 1 match address office_b_inside_acl

crypto map backupT1_map 1 set peer 3.3.3.1 4.4.4.1

crypto map backupT1_map 2 match address additional_l2l_acl

crypto map backupT1_map 2 set peer "addtional location ip"

crypto map backupT1_map interface Backup-T1

tunnel-group 3.3.3.1 type ipsec-l2l

tunnel-group 3.3.3.1 ipsec-attributes

pre-shared-key letmein

tunnel-group 4.4.4.1 type ipsec-l2l

tunnel-group 4.4.4.1 ipsec-attributes

pre-shared-key letmein

Site B

Interface Outside

IP Address 3.3.3.1 255.255.255.252

interface Backup-T1

Ip Address 4.4.4.1 255.255.255.252

Interface Inside

Ip address 10.10.2.1 255.255.255.0

route Outside 0.0.0.0 0.0.0.0 1.1.1.2 1 track 1 (Used to verify that the default route is present & if not present activates the Backup-T1 route

route Backup-T1 0.0.0.0 0.0.0.0 2.2.2.2 254 additional config steps for this are ommitted for brevity)

crypto map outside_map 1 match address office_a_inside_acl

crypto map outside_map 1 set peer 1.1.1.1 2.2.2.1

crypto map outside_map 2 match address additional_l2l_acl

crypto map outside_map 2 set peer "additional location ip"

crypto map oustide_map interface Outside

crypto map backupT1_map 1 match address office_a_inside_acl

crypto map backupT1_map 1 set peer 1.1.1.1 2.2.2.1

crypto map backupT1_map 2 match address additional_l2l_acl

crypto map backupT1_map 2 set peer "addtional location ip"

crypto map backupT1_map interface Backup-T1

tunnel-group 3.3.3.1 type ipsec-l2l

tunnel-group 3.3.3.1 ipsec-attributes

pre-shared-key letmein

tunnel-group 4.4.4.1 type ipsec-l2l

tunnel-group 4.4.4.1 ipsec-attributes

pre-shared-key letmein

Have I got this right based on this example? Any suggestions are much appreciated.

Thanks,

Sean

Javier Portuguez · ‎07-26-2012

Hi Sean,

Excelent

I think you should be all set, however I do not see the IP SLA settings.

You have the "track" command, but not the SLA instance, please check this out:

ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example

http://tools.cisco.com/squish/BD68F

This is basically what you need:

sla monitor 123
 type echo protocol ipIcmpEcho 10.0.0.1 interface outside
 num-packets 3
 frequency 10

!

sla monitor schedule 123 life forever start-time now

!

track 1 rtr 123 reachability

!

route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1

Please adjust the command above to your configuration.

Let me know if you have any questions.

Please rate this post if you find it helpful.