Solved: IKEV2 ASA two interfaces

moelycrio · ‎02-25-2021

We have Cisco ASA5525 connected to multple ASA5506-x through a WAN_DMZ interface

I have been asked to set up an alternative WAN for use on the mobile network M2M_DMZ

setting up vpns are not the problem but I use the command "crypto ikev2 enable WAN_DMZ" at the end. I assume this will make all the ikev2 traffic use the WAN_DMZ interface, how would I configure IKEV2 to use both WAN_DMZ and M2M_DMZ ? an example of the 5525's config is below the 5506 is the similar.

crypto map WAN_DMZ_map 10 match address Base_Depot1_EncDom
crypto map WAN_DMZ_map 10 set peer 10.1.2.1
crypto map WAN_DMZ_map 10 set ikev2 ipsec-proposal AES256
crypto map WAN_DMZ_map 10 set nat-t-disable
tunnel-group 10.1.2.1 type ipsec-l2l
tunnel-group 10.1.2.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key password
ikev2 local-authentication pre-shared-key password

crypto ikev2 enable WAN_DMZ

Rob Ingram · ‎02-25-2021

You'll need a static route(s) for the outside/public IP address of the peer VPN via the correct interface. E.g.

route WAN_DMZ 1.1.1.1 255.255.255.255 <next hop ip>

route M2M_DMZ 2.2.2.2 255.255.255.255 <next hop ip>

If you didn't have this static route to the peer IP address, it would attempt to establish a tunnel over the default route via it's interface.

View solution in original post

Rob Ingram · ‎02-25-2021

@moelycrio

Do you plan to have both these tunnels active at the sametime?

If you want them both active you'd need /32 static routes to the peer firewalls routed via the M2M_DMZ interface and the default route via the WAN_DMZ interface. Or vice versa. Either way you cannot have 2 active default routes without cause a problem.

If you want a backup, then use IP SLA to failover the default route via the other interface.

The crypto map name would be the same for both, it's the sequence number that distinguishes between the different peers.

You enable ikev1/ikev2 on both interfaces.

HTH

moelycrio · ‎02-25-2021

Yes both would be active at the same time. does it have to be /32 they will be on a different range so could use a /16

Rob Ingram · ‎02-25-2021

You cannot have 2 default routes and not expect issues. You'll have a default route via INT1, in order to utilise the other interface create a static route(s) via INT2 to the peer device you want to establish a tunnel with. This way you can establish a tunnel on either interface.

moelycrio · ‎02-25-2021

Thanks for your help so far, WAN_DMZ is not the default route. Would it work if I added a route then added the new interface to crypto ikev2. the 5506 on WAN DMZ go to 10.1.0.0/16, the 5506 on M2M_DMZ go to 192.168.0.0/16

route WAN_DMZ 10.1.0.0 255.255.0.0 10.0.200.1 1

route M2M_DMZ 192.168.0.0 255.255.0.0 10.2.200.1 1

route Default 0.0.0.0 0.0.0.0 10.10.0.17 1

crypto ikev2 enable WAN_DMZ

crypto ikev2 enable M2M_DMZ

Rob Ingram · ‎02-25-2021

You'll need a static route(s) for the outside/public IP address of the peer VPN via the correct interface. E.g.

route WAN_DMZ 1.1.1.1 255.255.255.255 <next hop ip>

route M2M_DMZ 2.2.2.2 255.255.255.255 <next hop ip>

If you didn't have this static route to the peer IP address, it would attempt to establish a tunnel over the default route via it's interface.