cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1182
Views
0
Helpful
2
Replies

Dual-homed Site-to-Site IPSEC VPN

Kurtis Franklin
Level 1
Level 1

Hello,

I've got a fiber network between most of my sites that forms a mesh topology between all of the locations. I have a handful of locations that connect to one of our offices that house our primary data center, the site-to-site IPSEC tunnels are up and running great.

What I'd like to do, is setup a second tunnel to where our DR site would be about 45 miles away from our central office. Since both fiber offices are on the same network (10.0.0.0) but different subnets (10.1.0.0 and 10.80.0.0) but still have full access to resources at both, I'd like for either tunnel to be usable by the remote ASA depending on where the resource is. The current working tunnel uses 10.0.0.0 as the remote network.

Setting up a new tunnel using the same remote network but to a different peer IP address doesn't seem to want to connect. Is it because it's the same remote network for both peers? Is there a configuration that will allow that site to hit resources at both locaitons while still preserving the ability to access secondary resources that are spread across other 10.x.0.0 subnets at other fiber locations?

One of the drivers for this is we have a CUCM server at both 10.80.0.0 and 10.1.0.0 and that particular office has a PRI that it uses at the 10.80.0.0 office (as well as registration to the subscriber CUCM and Unity server there) but is currently using 10.1.0.0 office's ASA as it's tunnel which means all voice traffic is reliant on a lot more paths to make it work. However, nearly every internal business application is hosted from 10.1.0.0. The Internet pipe at 10.1.0.0 is also twice the bandwidth as 10.80.0.0 as well, so we'd like to have it (at least somewhat) intelligently pick a tunnel for traffic, but still be able to use everything at both locations even if one tunnel were to go down from a down internet link.

Is there a way to do this?

2 Replies 2

Jeff Van Houten
Level 5
Level 5

Sounds like a job for routing. There are about a million imaginable questions, but I'd start with an understanding of your routing, then move on to the second tunnel.

Also, if you're looking at failover, I'd get familiar with dead peer detection.

Sent from Cisco Technical Support iPad App

On the WAN we use EIGRP with a router at each of our locations connected to a layer 2 WAN link from our service provider. At our central office, we have a 4500 layer 3 switch. An location on fiber is able to directly access any other location on fiber without having to go through another hop. We use 10.0.0.0 for our internal addressing. Ideally, the ASA 5505 at any of our given VPN sites (addressed with 172.16.0.0) would be able to send packets using the best possible path through tunnel going direcly to the 10.1.0.0 office or the 10.80.0.0 office, but if either link was down, all traffic could be sent to the remaining live tunnel.

I guess the question really comes down to if this is possible using just an ASA 5505/5510 at each location, or if I actually need different equipment. If there was an alternate method for routing this traffic using the far less expensive FIOS/DSL lines we have at these VPN sites for a handful of people versus a far more costly equipment and monthly service fees, I'm all ears.