We have an ASA 5510 at headquarters that branch offices connect back to using EasyVPN with 5505's. We have two branches that are close to one another that we would like to also have a direct link/tunnel to one another to link the two branches bypassing HQ. This way if branch B has traffic that is on branch A's subnet it will use the tunnel to go directly to Branch A and directly back to Branch B via the tunnel (vice versa if branch A has traffic on branch B's subnet) while all other traffic would continue to split tunnel out the internet connection or back to HQ through the EasyVPN connection.
On the branch 5505's there is only 1 outside interface that both the EasyVPN and the tunnel would have to share. I have been hitting a lot of dead ends and so far l2l tunnels, spoke to spoke and DMVPN seem to be the closest solutions. It appears that DMVPN isn't available on the 5505's. I have been getting conflicting results on having a separate tunnel and EasyVPN working at the same time on the same outside interface and spoke to spoke appears to communicate back through HQ to the branch which I am trying to avoid.
Does anyone have experience with this scenerio using 5505's that can point me in the right direction?
I assume that you Branch sites are using DHCP IP on their WAN links or are perhaps behind one such device doing PAT? Or do they actually have static public IP addresses?
I would imagine they use DHCP since you have used L2L VPN between Branches and from each Branch to HQ.
One branch is static and the other branch is dhcp on their wan links. If required I can order a static to switch both branches to static if there is an option that will allow both branches to have the EasyVPN connection back to HQ and to also have a direct tunnel between each branch bypassing HQ.
Well naturally if your HQ also has a static public IP address and you can get the same for the Branch sites then you could easily configure L2L VPN betwen Branch -> HQ and Branch -> Branch
Essentially traffic between Branches would go through a direct L2L VPN between them and Branch to HQ traffic would flow through a L2L VPN connection directly from the Branch to the HQ.
You wouldnt need to use EasyVPN for this. Just normal IPsec L2L VPN configurations between the sites. Each site would use their own local Internet connection for all traffic towards external networks.
All of our other sites connect using EasyVPN thats why I was looking for a solution that wouldn't change the EasyVPN part but what you suggest makes sense. I'll have to see if they are ok doing it differently with these two sites and will test it out, thanks for your quick replies.