03-23-2023 03:50 AM
I have 2 FTD2140s in HA pair managed by FMC. This is the head end for several l2l/point to point VPNs.
What I need to do is have a l2l/point to point from this head end to two separate remote sites using the same encryption domain. Basically one head end IP to two separate remote end IPs using the same encryption domain.
eg
if you are 10.10.10.0/24 going to 20.20.20.0/24 send to 95.1.1.1 (primary)
if you are 10.10.10.0/24 going to 20.20.20.0/24 send to 85.1.1.1 (secondary)
is that possible. Is there a document to show how to achieve this.
thanks
Solved! Go to Solution.
03-23-2023 03:54 AM
@michael18 you can create a backup VTI tunnel, if the primary VPN fails the secondary tunnel will be used.
03-23-2023 03:54 AM
@michael18 you can create a backup VTI tunnel, if the primary VPN fails the secondary tunnel will be used.
03-23-2023 04:13 AM
thanks Rob. that looks like what I need.
03-23-2023 04:20 AM
please update us when you run and success to run VPN between HQ and remote.
03-23-2023 08:44 AM
Hi
Reading the guide theres a limitation to VTI. it needs to be enabled at both ends. As the remote ends are in a 3rd party network I dont know if they will be capable. They are using firewalls in separate DR sites with a manual failover. I assume they change routing further back in the network to direct traffic to secondary firewall if primary fails.
Are there any other ways to achieve this scenario?
03-23-2023 08:50 AM - edited 03-23-2023 08:52 AM
03-23-2023 08:56 AM
Thanks Rob. I really appreciate your help.
03-23-2023 09:07 AM
As I guess
I will look to find solution and share with you tonight
03-23-2023 03:55 AM
FW HA only one is active, and I think you use dual ISP
you can see the below guide for config FMC with primary/backup ISP
03-23-2023 04:19 AM
Thanks for the responce. Probably my explanation was missing some detail. We dont have backup ISP. The head end IP stays the same on failover. The issue was having two remote site VPN termination points, different IPs with the same encryption domain.
cheers
03-23-2023 04:47 AM
Yes I get your Q not in original post but later in your reply.
the issue what I think about here
if the remote ISP1 is down and shift to ISP2 how HQ detect it?
if we config static route toward VTI-primary in HQ with preferred metric
we need EEM or IP SLA.
that why I ask you when run dual VTI and success update us
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide