Cisco ASA - L2L VPN redundancy between two Sites with dual ISP link in each sites, respectively.

Samir Aliyev · ‎08-22-2014

Hi Dear Engineers,

I need to implement L2L VPN redundancy between two Sites with dual ISP link in each sites, respectively.

Please help me for best solution.

I attached appropriate diagram.

Thanks in advance

Peter Long · ‎08-22-2014

No Problem, on each ASA you need to specify BOTH public IP addresses of the other ASA in the cryptomap, and the opposite on the other like so;

crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 1.1.1.1 2.2.2.2
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside

Then you need a tunnel-group on Each ASA for those IP addresses that are identical, like so

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *

This assumes you already have a site to site VPN up, and you are just adding the second IP of the ASA at the other end. As usual both sites should be a mirror image.

Cisco ASA 5500 Site to Site VPN (From CLI)

Pete

Peter Long · ‎08-22-2014

I've covered this in the link below, but yours just has two ISP's at BOTH ends, the procedure is the same.

Cisco ASA/PIX 8.x: Redundant or Backup ISP Links with VPNs

Pete

Samir Aliyev · ‎08-22-2014

But in this config, in case going down of primary link, the vpn tunnel through backup link comes up late (nearly, 30-40 secs.). And customer requires less downtime. And additionally, when primary link comes back online, (backup link still online), ASA troubles to create vpn tunnel through primary link.

So, I used different crypto maps with the same interesting traffic, transform set, but with relevant peer address, respectively. and relevant tunnel-groups, of course.

My sample config is in below. Please, review and comment.

ASA Left side

ASA Version 8.0(2)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 192.168.250.1 255.255.255.0

!

interface Ethernet0/1

nameif ttl

security-level 0

ip address 192.168.168.1 255.255.255.0

!

interface Ethernet0/2

nameif saturn

security-level 0

ip address 192.168.169.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

access-list test extended permit ip 192.168.250.0 255.255.255.0 10.84.0.0 255.255.255.0

route ttl 10.84.0.0 255.255.255.0 192.168.168.2 1 track 1

route saturn 10.84.0.0 255.255.255.0 192.168.169.2 10

sla monitor 1

type echo protocol ipIcmpEcho 192.168.168.2 interface ttl

num-packets 2

timeout 1000

frequency 3

sla monitor schedule 1 life forever start-time now

crypto ipsec transform-set test esp-3des esp-sha-hmac

crypto map test 1 match address test

crypto map test 1 set peer 192.168.168.2

crypto map test 1 set transform-set test

crypto map test interface ttl

crypto map test2 1 match address test

crypto map test2 1 set peer 192.168.169.2

crypto map test2 1 set transform-set test

crypto map test2 interface saturn

crypto isakmp enable ttl

crypto isakmp enable saturn

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

track 1 rtr 1 reachability

!

tunnel-group 192.168.168.2 type ipsec-l2l

tunnel-group 192.168.168.2 ipsec-attributes

pre-shared-key *

tunnel-group 192.168.169.2 type ipsec-l2l

tunnel-group 192.168.169.2 ipsec-attributes

pre-shared-key *

-----------------------------------------------------------------------------------------------------------------------------------------------

ASA Right Side

ASA Version 8.0(2)

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 10.84.0.1 255.255.255.0

!

interface Ethernet0/1

nameif ttl

security-level 0

ip address 192.168.168.2 255.255.255.0

!

interface Ethernet0/2

nameif saturn

security-level 0

ip address 192.168.169.2 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

access-list test extended permit ip 10.84.0.0 255.255.255.0 192.168.250.0 255.255.255.0

route ttl 192.168.250.0 255.255.255.0 192.168.168.1 1 track 1

route saturn 192.168.250.0 255.255.255.0 192.168.169.1 10

sla monitor 1

type echo protocol ipIcmpEcho 192.168.168.1 interface ttl

num-packets 2

timeout 1000

frequency 3

sla monitor schedule 1 life forever start-time now

crypto ipsec transform-set test esp-3des esp-sha-hmac

crypto map test 1 match address test

crypto map test 1 set peer 192.168.168.1

crypto map test 1 set transform-set test

crypto map test interface ttl

crypto map test2 1 match address test

crypto map test2 1 set peer 192.168.169.1

crypto map test2 1 set transform-set test

crypto map test2 interface Saturn

crypto isakmp enable ttl

crypto isakmp enable saturn

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

track 1 rtr 1 reachability

tunnel-group 192.168.168.1 type ipsec-l2l

tunnel-group 192.168.168.1 ipsec-attributes

pre-shared-key *

tunnel-group 192.168.169.1 type ipsec-l2l

tunnel-group 192.168.169.1 ipsec-attributes

pre-shared-key *

nkarthikeyan · ‎08-22-2014

Hi Samir,

Check my blog with the similar set as per your requirement....

http://cuckoonetworks.blogspot.com/

Just need to fine tune with track/ipsla and dpd config to it to make it a better solution.

Regards

Karthik