Redundant VPN Tunnels

kmiller2profdata · ‎07-29-2013

Greetings All,

I'm trying to figure out if it is possible to setup redundant VPN tunnels for the remote end. One of my customers are purchasing devices for their remote locations that have both a wired and a wireless connection, each connection having it's own IP address. So the scenario would look something like:

Home Office:

Local Network: 192.168.1.0/24

External IP address: 1.1.1.1

Remote Location:

Local Network: 192.168.2.0/24

External IP address wired: 2.2.2.2

External IP address wireless: 5.5.5.5

Is it possible to configure the ASA5510 to initiate a VPN tunnel to 2.2.2.2 by default, but if unable to establish a tunnel, attempt to connect to 5.5.5.5 instead?

Thanks for any advice you can provide.

Dinesh Moudgil · ‎07-31-2013

Hi Kyle,

You can set up the redundant VPN tunnels with the help of SLA monitoring. SLA monitoring defines which interface would be active and accordingly with which IP the tunnel would be negotiated.
On your side, you can set the primary and backup peers with this command:

crypto map set peer

Along with this, we need to create two tunnel groups for both the peers.

On Remote end, SLA monitoring will be configured and crypto map should be enabled on both the interfaces

This can be achieved with the following commands:

crypto map interface primary

crypto map interface secondary

sla monitor x

type echo protocol ipIcmpEcho interface primary

num-packets 3

frequency 10

sla monitor schedule x life forever start-time now

track 1 rtr x reachability

route primary 0.0.0.0 0.0.0.0 172.16.10.10 1

route backup 0.0.0.0 0.0.0.0 172.16.20.10 254

Please go through the given document that explains the Redundant ISP configuration in detail

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Hope that helps.

Regards,

Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/