05-21-2019 12:21 PM
Hello,
Currently we have a primary and backup ISP in our environment, and the ISPs are set to failover if the connection to the primary drop off for whatever reason. It will fail back to the primary from the backup once the primary comes back online. The main issue is that the VPN does not work on the Backup ISP if the Primary were to go down. Below is our VPN configuration:
ip local pool VPN-Pool 192.168.99.1-192.168.99.254 mask 255.255.255.0
!
dynamic-access-policy-record DfltAccessPolicy
!
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256
crypto dynamic-map WAN_dyn_map 1 set ikev2 ipsec-proposal AES256
crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN_AnyConnect 65535 ipsec-isakmp dynamic WAN_dyn_map
crypto map WAN_AnyConnect interface WAN
!
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable WAN
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
!
webvpn
enable WAN
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.4.00243-webdeploy-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-macos-4.4.00243-webdeploy-k9.pkg 2 regex "Intel Mac OS X"
anyconnect profiles kennesaw-vpn_client_profile disk0:/kennesaw-vpn_client_profile.xml
anyconnect enable
tunnel-group-list enable
!
group-policy DfltGrpPolicy attributes
banner value Welcome to Blank. By clicking Accept, you agree that all traffic will be monitored.
vpn-tunnel-protocol ikev2
address-pools value VPN-Pool
webvpn
anyconnect ask none default anyconnect
group-policy GroupPolicy_kennesaw-vpn internal
group-policy GroupPolicy_kennesaw-vpn attributes
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-allowed-networks
default-domain value cloud9ortho.com
webvpn
anyconnect profiles value kennesaw-vpn_client_profile type user
!
tunnel-group kennesaw-vpn type remote-access
tunnel-group kennesaw-vpn general-attributes
address-pool VPN-Pool
default-group-policy GroupPolicy_kennesaw-vpn
tunnel-group kennesaw-vpn webvpn-attributes
group-alias kennesaw-vpn enable
05-21-2019 09:45 PM - edited 05-21-2019 09:46 PM
Hi
Yes you're right, the config you posted has to be added. But you also need to the nat exempt to allow your vpn clients to reach your internal resources.
You can also push an anyconnect profile with a backup server to allow anyconnect to automatically connect on the secondary isp ip in case the primary goes down. A quick snippet of the anyconnect profile regarding the server configuration part:
<ServerList>
<HostEntry>
<HostName>A-VPN-CONNECTION-name</HostName>
<HostAddress>YOUR-PRIMARY-IP-OR-PRIMARY-FQDN</HostAddress>
<BackupServerList>
<HostAddress>YOUR-SECONDARY-IP-OR-SECONDARY-FQDN</HostAddress>
</BackupServerList>
</HostEntry>
</ServerList>
05-22-2019 05:27 AM
Thank you for your reply. We have the current NAT in our config already:
nat (LAN,WAN) source static any any destination static VPN-network VPN-network no-proxy-arp route-lookup
object network VPN-network
subnet 192.168.99.0 255.255.255.0
So another NAT would need to be added or would this work? Ideally I would like the users to use the same VPN-Network subnet when connected to VPN no matter which ISP is being used.
05-23-2019 05:41 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide