Issue with Site-site vpn

Zeusrandeep · ‎12-25-2012

Hello,

I have vpn connectivity to Branch office from both the primary and secondary ASA's. In case of any failure to primary ASA i will reroute traffic to seconday. For that i will also clear the existing vpn tunnel using clear crypto isakmp sa peer(primaryasa-ip). But still i am not able to pass traffic through secondary VPN tunnel. When i check on branch office asa its still getting hits on crypto acl to primary ASA. what i have to do for getting the hits on secondary crypto acl ? Or do i need to remove the primary crypto acl from crypto map of branch office for getting it done.

Thanks,

Fabio Jorge · ‎12-29-2012

Hello Zeus,

First of all I would like to know if you are using Lan Failover between your "Primary and Secondary ASA". It´s the best practies because your remote site has a single outside IP address to isakmp and IPsec termination. But if aren´t using failover you´re using standalone devices, so you have two inside and outside IP address, it is not easy to admistrate. Anyway, lets to the procedure to configure VPN L2L to primary and secondary ASA.

On your Branch office ASA you need to configure the following configuration:

This example is if you have two network segments 10.2.10.0 and 10.2.20.0 behide both ASAs

access-list CryptoMap_VPN_L2L extended permit ip 192.168.10.0 255.255.255.0 10.2.20.0 255.255.255.0

access-list CryptoMap_VPN_L2L extended permit ip 192.168.10.0 255.255.255.0 10.2.10.0 255.255.255.0

!

crypto map OUTSIDE_map 1 match address CryptoMap_VPN_L2L

crypto map OUTSIDE_map 1 set pfs

crypto map OUTSIDE_map 1 set peer 200.200.200.200 200.200.200.201

crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA

crypto map OUTSIDE_map 1 set security-association lifetime seconds 28800

!

tunnel-group 200.200.200.200 type ipsec-l2l

tunnel-group 200.200.200.200 general-attributes

default-group-policy GP_L2L_GENERAL

tunnel-group 200.200.200.200 ipsec-attributes

pre-shared-key 123456

!

tunnel-group 200.200.200.201 type ipsec-l2l

tunnel-group 200.200.200.201 general-attributes

default-group-policy GP_L2L_GENERAL

tunnel-group 200.200.200.201 ipsec-attributes

pre-shared-key 123456

!

object-group network gp_redes_no-nat

network-object 10.2.10.0 255.255.255.0

network-object 10.2.20.0 255.255.255.0

!

access-list VPN_NONAT extended permit ip 192.168.10.0 255.255.255.0 object-group gp_redes_no-nat

!

nat (INSIDE) 0 access-list VPN_NONAT

IP address Example:

Primary ASA: 200.200.200.200

Secondary ASA: 200.200.200.201

========================================================================================================

This example is if you have the following design network segments 10.2.10.0 Secondary ASA and 10.2.20.0 Primary ASA

access-list CryptoMap_VPN_L2L-ASAPRI extended permit ip 192.168.10.0 255.255.255.0 10.2.20.0 255.255.255.0

access-list CryptoMap_VPN_L2L-ASASEC extended permit ip 192.168.10.0 255.255.255.0 10.2.10.0 255.255.255.0

!

crypto map OUTSIDE_map 1 match address CryptoMap_VPN_L2L-ASAPRI

crypto map OUTSIDE_map 1 set peer 200.200.200.200

crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA

crypto map OUTSIDE_map 1 set security-association lifetime seconds 28800

!

crypto map OUTSIDE_map 1 match address CryptoMap_VPN_L2L-ASASEC

crypto map OUTSIDE_map 1 set peer 200.200.200.201

crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA

crypto map OUTSIDE_map 1 set security-association lifetime seconds 28800

!

tunnel-group 200.200.200.200 type ipsec-l2l

tunnel-group 200.200.200.200 general-attributes

default-group-policy GP_L2L_GENERAL

tunnel-group 200.200.200.200 ipsec-attributes

pre-shared-key 123456

!

tunnel-group 200.200.200.201 type ipsec-l2l

tunnel-group 200.200.200.201 general-attributes

default-group-policy GP_L2L_GENERAL

tunnel-group 200.200.200.201 ipsec-attributes

pre-shared-key 123456

!

object-group network gp_redes_no-nat

network-object 10.2.10.0 255.255.255.0

network-object 10.2.20.0 255.255.255.0

!

access-list VPN_NONAT extended permit ip 192.168.10.0 255.255.255.0 object-group gp_redes_no-nat

!

nat (INSIDE) 0 access-list VPN_NONAT

IP address Example:

Primary ASA: 200.200.200.200

Secondary ASA: 200.200.200.201

Zeusrandeep · ‎12-30-2012

Thanks for the help.

I don't have any failvover enabled in ASA device. Then i am using the first scenario on here (same subnets behind both the devices). But instead of configuring backup peer ip, i used seperate crypto policy for both the VPN's. Anyway thanks for pointing out the possiblity of giving the two peer ip in same policy. So i have one doubt, In case of any latecny fluctuation how can i move all vpn traffic to secondary ASA. Only rerouting the traffic via secondary asa will make the vpn work.

Then i also want to know the use "crypto map OUTSIDE_map 1 set pfs " command.

Thanks,

Hardik Vaidh · ‎01-01-2013

Dear fabio

access-list CryptoMap_VPN_L2L extended permit ip 192.168.10.0 255.255.255.0 10.2.20.0 255.255.255.0

access-list CryptoMap_VPN_L2L extended permit ip 192.168.10.0 255.255.255.0 10.2.10.0 255.255.255.0

access-list VPN_NONAT extended permit ip 192.168.10.0 255.255.255.0 object-group gp_redes_no-nat

you have to deny IP in NAT access list

Hardik Vaidh · ‎01-01-2013

Dear Zeusradeep,

Make two different crypto policy and two differnt NAT configuration for two differnt ISP or public IP those two IP routed in one LAN network .

and make sure about access list bcoz you have to make two access-list one for NAT and other for cryto.

in crypto access list you have to configure permit your remote IP. and the same IP you have to deny on NAT access list.

try it hope it will work.