Let me first start off by thanking anyone who can help me get this figured out :-)
So I'm trying to set up a site to site tunnel between two ASA's, but it's going to be used as a backup (since they are already connected by an MPLS cloud). So basically, this will be needed only if the MPLS cloud fails in any way. I realize that getting that to work dynamically may be pretty difficult, but that part of it is for another day. :-)
I used ASDM to create the tunnels using the wizard which is pretty standard. However, I'm having a hard time with getting the tunnel to come up in the first place. With the MPLS tunnel active, the packets will simply default towards that direction and so I can't even get initial traffic to pass over the tunnel to 'tell' it to initiate the tunnel.
I have access to CLI, but I'm more of an IOS guy so trying to set up a simple static route to pass traffic over the tunnel eludes me.
Anyone have any ideas?
If the 'inside' interface is part of the traffic that can initiate the VPN tunnel, try pinging from that interface to something across the tunnel -
ping inside X.X.X.X
Which would tell the ASA, in theory, to ping something across the tunnel from it's LAN interface, and if that's part of your crypto ACL, it should kick off crypto.
Otherwise, maybe you can create a loopback on a router and policy-route some traffic from that loopback over that firewall to bring the tunnel up.
Thank you for taking a look into this. The problem I see with using the inside interface when initiating my ping, is the fact that the VPN is simply designed to allow traffic that is already known. So for example:
[ASA]----10.0.1.0/24---MPLS CLOUD---10.0.2.0/24---[ASA]. (these are fake IP's but the idea is the same)
When the MPLS cloud 'breaks' I will want 10.0.1.0/24 to use the VPN tunnel to talk to 10.0.2.0/24. But as of now, if I ping using the 'inside' interface, that will simply traverse the MPLS link as long as it's not broken, is that right?
Also, I'd love to make some loopbacks but I found no way to do it in the GUI and I guess I haven't found a way to use the CLI to do so. But I will check again as far as that goes.
"I realize that getting that to work dynamically may be pretty difficult, but that part of it is for another day. :-)"
I read this thread, so I thought I could share some of my experience.
Well, what is that you are trying to achieve is a workable solution. When you have just plane IPSec tunnel, that tunnel will come up, when there is a traffic initiated by either end of the tunnel.
But now bigger question, how the same network segment be available via the MPLS cloud and be ready standby to take over via the IPSec tunnel, should there be failure of the MPLS cloud. This is where, dynamic routing protocol come into equation.
The simplest way to achieve what is that you are trying to do is by introducing dynamic routing protocol in the network and peer-over routing-peer via GRE over IPSec tunnel. Your ASA will carry your IPSec tunnel, but GRE tunnel with encapsulate your private-ip segments.
All your internal networks will be accessible and visible from both end to end, via GRE over IPSec, and it will fails over should MPLS breaks down, by manipulating cost of routes.
I hope that helps.
Thanks Rizwan for your assistance.
I understand that introducing dynamic routing protocols is the best way to implement this solution. In fact, considering the current static route architecture I understand that unless the actually physical link goes down, it will not know to reroute the traffice and will still try to send it over the current link leading to the MPLS cloud.
I guess my main questions was trying to determine a way to get this IPSec tunnel up just to ensure that it works without breaking the current LAN. I know the setting are pretty simple, but I just want to make sure the tunnel comes up so I can worry about the routing situation later.
Is there any way to get this tunnel to initiate without forcing traffic over it by breaking the MPLS link?
Yes you can establish the tunnel between two ends, without disturbing MPLS routes.
You have to create one loopback interface from both ends, ideally on /32 mask, and your ASA can push these two networks (i.e. loopbacks) in IPSec tunnel. So, you will have tunnel up end to end and undisturbed MPLS routes.
As you know, you cannot push MPLS routes statically via IPSec tunnel, while MPLS circuit is up running well.
I hop that make sense.