03-27-2023 11:21 PM
Hello,
Situtation:
in the HQ we've a active/standby Firepower 2120 with ASA Software
in the Branch should be a Firepower 1010 with ASA Software
the HQ is redundant, the Branch has 2 ISP's; one leased Line with fix IP, one DSL-Backup (pppoe with fixed IP)
Now I need a IPSec L2L from Branch to HQ with failover to the DSL-Backup.
I've read I could (on Branch) enter both outside-interface in the Tunnel-Group, is this correct? Only on the CLI?
But how can I configure Tunnel-Group on HQ?
Any Help is appreciated, thank you
Solved! Go to Solution.
04-03-2023 04:46 AM
@gaigl so the VPN failed over to the secondary link and the IPSec SA were established correctly? If you have no encaps but some decaps that usually indicates a NAT or routing issue.
So the LAN switch routes all outbound traffic via the ASA, which then has a default route via the correct outside interface? Which should now be the secondary interface right?
Do you have a second NAT exemption rule specific to the secondary interface to ensure traffic is not unintentially translated?
Somthing like this:-
nat (inside,outside1) source static LAN LAN destination static REMOTE REMOTE
nat (inside,outside2) source static LAN LAN destination static REMOTE REMOTE
Provide the routing configuration changes you made, including the SLA/tracking.
03-28-2023 12:17 AM
@gaigl you'd enable crypto on both outside interfaces of the branch ASA. Use IP SLA to track the default route via ISP1, which would failover to the DSL backup in the event the leased line fails.
On the HQ, create 2 tunnel groups (use the IP address of the branch interface IP address) and define the authentication (PSK). Define a secondary peer IP address (of the DSL backup interface) under the crypto map.
Here is a similar example: https://integratingit.wordpress.com/2023/02/11/asa-dual-isp-backup-vpn/
03-28-2023 04:35 AM
I'm trying some Parts, I'm not yet ready with Tests (becaus some other Work)
thank you
03-28-2023 04:31 AM
I will run lab using ASA HA and other ASA as branch (sorry I dont have FPR now)
do you want to see this lab ?
please confirm
thanks
MHM
03-28-2023 04:33 AM
Hello,
how can I see the Lab? would be interesting, thank you
03-28-2023 04:36 AM
Sure I will run lab share here tonight.
03-30-2023 04:04 AM
Hello,
I almost got it
at Branch Cryptomap with 2 Interfaces
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs
crypto map outside_map1 1 set peer $IP of HQ
crypto map outside_map1 1 set ikev2 ipsec-proposal AES256SHA512
crypto map outside_map1 1 set ikev2 pre-shared-key *****
crypto map outside_map1 1 set security-association lifetime seconds 3600
crypto map outside_map1 1 set nat-t-disable
crypto map outside_map1 interface outside
crypto map outside_map1 interface outside-2
on the HQ Cryptomap with 2 peers
crypto map outside_map1 1 match address outside_cryptomap_1
crypto map outside_map1 1 set pfs
crypto map outside_map1 1 set peer $IP-of-outside $IP-of-outside-2
crypto map outside_map1 1 set ikev2 ipsec-proposal AES256SHA512
crypto map outside_map1 1 set security-association lifetime seconds 3600
crypto map outside_map1 1 set nat-t-disable
crypto map outside_map1 interface outside
static Routes with different metrics
but if I cut the primary connection, I don't get a tunnel via second connection
Error: %ASA-5-750007: IP of outside-2 ...IKEv2 SA DOWN Reason: peer phase 2 mismatch
I've no tracking/SLA in the static routes configured, does this solve the Problem?
should I see an additional crypto SA for the secondary Adress?
Thank you
03-30-2023 04:09 AM - edited 03-30-2023 04:21 AM
if you can same config
in HQ use set peer <peer1><peer2>
but with IKEv1
and also use keepalive in both FW.
please check Mr. @Rob Ingram suggestion before apply my.
for my lab I try using VTI not policy based VPN.
03-30-2023 04:17 AM
03-30-2023 05:02 AM
HQ:
interface Ethernet1/1
nameif outside
security-level 0
ip address 8.8.8.8 255.255.255.0 standby 8.8.8.9
!
interface Ethernet1/2
nameif inside
security-level 100
ip address 192.168.5.11 255.255.255.0 standby 192.168.5.12
object-group network DM_INLINE_NETWORK_1
network-object object BVK-LAN
network-object object DMZ-1
network-object object DMZ-2
network-object object DMZ-3
network-object object BVBN_NET
network-object object NET-ANYCONNECT
network-object object NET-VOIP
object network TEST-RV
subnet 172.25.0.0 255.255.0.0
access-list outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_1 object TEST-RV
crypto ipsec ikev2 ipsec-proposal AES256SHA512
protocol esp encryption aes-256
protocol esp integrity sha-512
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map1 1 match address outside_cryptomap_1
crypto map outside_map1 1 set pfs
crypto map outside_map1 1 set peer 8.8.8.20 8.20.8.20
crypto map outside_map1 1 set ikev1 transform-set AES256SHA
crypto map outside_map1 1 set ikev2 ipsec-proposal AES256SHA512
crypto map outside_map1 1 set security-association lifetime seconds 3600
crypto map outside_map1 1 set nat-t-disable
crypto map outside_map1 interface outside
crypto ikev2 policy 1
encryption aes-256 aes-192
integrity sha512 sha384 sha256
group 14
prf sha512 sha384 sha256
lifetime seconds 3600
tunnel-group 8.8.8.20 type ipsec-l2l
tunnel-group 8.8.8.20 general-attributes
default-group-policy GP_IKEV2
tunnel-group 8.8.8.20 ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 8.20.8.20 type ipsec-l2l
tunnel-group 8.20.8.20 general-attributes
default-group-policy GP_IKEV2
tunnel-group 8.20.8.20 ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
--------------------------------------------------
BRANCH
interface Ethernet1/1
no switchport
nameif outside
security-level 0
ip address 8.8.8.20 255.255.255.240
!
interface Ethernet1/2
no switchport
nameif outside-2
security-level 0
ip address 8.20.8.20 255.255.255.224
!
interface Ethernet1/3
no switchport
nameif inside
security-level 100
ip address 172.25.1.1 255.255.0.0
!
object network AUSSENSTELLEN_TEST_LAN
subnet 172.25.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_1
network-object object BVK-LAN
network-object object BVBN_NET
network-object object DMZ_I
network-object object DMZ_II
network-object object DMZ_III
network-object object NET-ANYCONNECT
network-object object NET-VOIP
access-list outside_cryptomap extended permit ip object AUSSENSTELLEN_TEST_LAN object-group DM_INLINE_NETWORK_1
crypto ipsec ikev2 ipsec-proposal AES256SHA512
protocol esp encryption aes-256
protocol esp integrity sha-512
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association replay window-size 1024
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs
crypto map outside_map1 1 set peer 8.8.8.8
crypto map outside_map1 1 set ikev2 ipsec-proposal AES256SHA512
crypto map outside_map1 1 set ikev2 pre-shared-key *****
crypto map outside_map1 1 set security-association lifetime seconds 3600
crypto map outside_map1 1 set nat-t-disable
crypto map outside_map1 interface outside
crypto map outside_map1 interface outside-2
crypto ikev2 policy 1
encryption aes-256 aes-192
integrity sha512 sha384 sha256
group 14
prf sha512 sha384 sha256
lifetime seconds 3600
crypto ikev2 enable outside
crypto ikev2 enable outside-2
dynamic-access-policy-record DfltAccessPolicy
username admin password ***** pbkdf2 privilege 15
tunnel-group 8.8.8.8 type ipsec-l2l
tunnel-group 8.8.8.8 general-attributes
default-group-policy GP_IPSEC_2
tunnel-group 8.8.8.8 ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
(public IP not real)
03-30-2023 05:06 AM
edit: the IKEv1 lines are now removed, was an unsuccessfull test
03-30-2023 05:26 AM
Hello Rob, I dont use SLA/Tracking till now.
I configured the routes with different metrics like this:
route outside-2 172.27.0.0 255.255.0.0 GW-ISP1 10
route outside 172.28.0.0 255.255.0.0 GW-ISP2 1
route outside-2 172.28.0.0 255.255.0.0 GW-ISP1 10
route outside 172.29.0.0 255.255.0.0 GW-ISP2 1
route outside-2 172.29.0.0 255.255.0.0 GW-ISP1 10
route outside 172.30.0.0 255.255.0.0 GW-ISP2 1
route outside-2 172.30.0.0 255.255.0.0 GW-ISP10 10
03-30-2023 05:33 AM - edited 03-30-2023 05:36 AM
Ok, that doesn't look right, you aren't tracking a route and why not track the default route? What about the IP SLA and tracking configuration itself?
Is SLA/tracking working as expected?
I previously provided an example of this scenario with SLA/tracking configuration.
03-30-2023 05:39 AM
Hi Rob,
I've got no expirience in tracking/SLA and I can't ping the Gateway of the ISP, I don't get echo-reply
03-30-2023 05:43 AM
Ok, well you need to track something to detect if that "outside" interface is up, perhaps track the outside IP address of another of your sites?
The link I provided has an example of IP SLA/Tracking and shows you how to configure tracking a route.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide