Solved: Thanks Karsten. I think I

drbabbers · ‎08-27-2015

Here is the scenario...

I have a client site with a Cisco ASA 5505 VPN that has a single IPSec tunnel back to a HQ VPN.

I would like to introduce a 2nd tunnel from the client site to another HQ location that advertises the same set of routes.

From an ASA VPN point of view, what is the best approach for this?

Load balancing or an Active/Standby approach will be acceptable.

Im curious to know how 2 static VPN tunnels will work side by side with the same crypto maps? Will this even work?

Can I influence this using good old fashion routing?

Help! :P

Thanks!

D

Karsten Iwen · ‎08-27-2015

Yes, thats where the second peer has to be added.

View solution in original post

Karsten Iwen · ‎08-27-2015

If you wan't anything fancy with routing, you should build your VPNs with routers and use IPSec-Tunnel-interfaces.

For the ASA, the options are limited. If both destinations have the same internal addresses, you have to add a second peer to your existing crypto-map sequence. If the first peer is not reachable any more, the second peer is used.

drbabbers · ‎08-27-2015

HI Karsten,

It sounds like your 2nd option will do the job! How do I add a second peer to an existing crypto-map sequence?

Thanks!

D

Karsten Iwen · ‎08-27-2015

Just issue the actual "set peer" command a second time with the additional address.

After that your crypto map sequence holds both peers. The first one will be the primary by default.

drbabbers · ‎08-27-2015

Thanks Karsten. I think I have located this in the ASDM.

Site to Site VPN -> Advanced -> Crypto Maps -> Edit ->

'IP Address of Peer to be added: _ _ _ _'

Does this sound about right?

D

Karsten Iwen · ‎08-27-2015

Yes, thats where the second peer has to be added.

Resilient ASA IPSec Solution