Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
167
Views
0
Helpful
1
Replies

Router config for VPN with backup ISP

tahscolony
Level 1
Level 1

‎06-11-2015 01:43 PM

I am not sure how to word it so search can find it, but what I am looking for is how to configure a router to have a primary VPN to an ASA, and if the primary ISP fails, to switch the VPN over to the backup ISP.  The ASA side is not an issue, set peer with both addresses, its the router side I am trying to decipher. Use SLA to fail over routing to the standby circuit, but how do I force the VPN to use that interface and switch back once the other ISP is back in service without any intervention?

 

Everything I have found so far is for the ASA to have dual ISP, and that is the opposite of what I need. The ASA is set as a failover cluster with BGP taking care of the publics during an event.

Labels:
0 Helpful
1 Reply 1

Rejohn Cuares
Level 4
Level 4

‎06-11-2015 09:51 PM

Follow this guide:

http://www.cisco.com/c/en/us/support/docs/routers/1700-series-modular-access-routers/71462-rtr-l2l-ipsec-split.html

 

Then on your crypto map and crypto key you define the second peer.

 

crypto isakmp key TUNNEL1KEY address PRIMARY-IP

crypto isakmp key TUNNEL2KEY address SECONDARY-IP

!
crypto map mymap 10 ipsec-isakmp
 set peer  PRIMARY-IP default
 set peer SECONDARY-IP
 set transform-set myset
 match address 100
!

 

Please rate replies and mark question as "answered" if applicable.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents