cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2531
Views
0
Helpful
3
Replies

Multiple VPN's to same destination

Reece Boucher
Level 1
Level 1

Greetings,

I have a pair of ASA5510's that are used to terminate IPSec LAN-LAN VPN's (active-standby) using static routing.  I have a trading partner who wants to have a primary and a failover VPN (he has 2 different endpoints) so I understand I will need to setup 2 different VPNs.

My issue is with the routing.  How do I get traffic to use the primary link all the time and only bring up the secondary when the primary fails?  And to failover back to the primary again when it is restored?

Weighted routes were mentioned (won't cover the fail-back) but the destination is the same in both instances (next hop is the external gateway address).

Thanks heaps.

Reece.

2 Accepted Solutions

Accepted Solutions

angmuril
Cisco Employee
Cisco Employee

Hi Reece,

You can use the crypto map command to add both IP addresses in the remote end:

"crypto map <mapname> <#> set peer <x.x.x.x> <y.y.y.y>"

The ASA will try to negotiate with peer "x.x.x.x".

If "x.x.x.x" is down or doesn't respond, it will try to negotiate with "y.y.y.y"

Let me know if that helps!

View solution in original post

Reece,

I forgot to tell that you need to configure a tunnel-group for "y.y.y.y" as well with the pre-shared-key.

View solution in original post

3 Replies 3

angmuril
Cisco Employee
Cisco Employee

Hi Reece,

You can use the crypto map command to add both IP addresses in the remote end:

"crypto map <mapname> <#> set peer <x.x.x.x> <y.y.y.y>"

The ASA will try to negotiate with peer "x.x.x.x".

If "x.x.x.x" is down or doesn't respond, it will try to negotiate with "y.y.y.y"

Let me know if that helps!

Thanks heaps.  

Another valuable piece of information to help me out.

Reece,

I forgot to tell that you need to configure a tunnel-group for "y.y.y.y" as well with the pre-shared-key.