Solved: Site to Site IPSEC VPN For multisite with dual ISP Failover

abhishek.shah · ‎12-12-2010

HI everyone,

I have total 6 ASA 5505, i already built failover with dual isp. Now i want to configure site 2 site VPN for all 3 sites. Each site has 2 firewall.

I just built a config for site 2 site VPN here is the config for one site.

local ip: 172.16.100.0

pubic ip: 10.5.1.101, 10.6.1.101

remote local ip: 172.16.101.0

remote public ip: 10.3.1.101, 10.4.1.101

remote local ip: 192.168.0.0

remote public ip: 10.1.1.101, 10.2.1.101

tunnel configuration on First 2 firewall:

access-list vpn1 permit ip 172.16.100.0 255.255.255.0 172.16.101.0 255.255.255.0

access-list backupvpn1 permit ip 172.16.100.0 255.255.255.0 172.16.101.0 255.255.255.0

access-list vpn2 permit ip 172.16.100.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list backupvpn2 permit ip 172.16.100.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list nonat permit ip 172.16.100.0 255.255.255.0 172.16.101.0 255.255.255.0

access-list nonat permit ip 172.16.100.0 255.255.255.0 192.168.0.0 255.255.255.0

!

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

!

crypto isakmp enable outside

crypto isakmp enable backup

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

!

crypto ipsec transform-set my-set1 esp-3des esp-sha-hmac

crypto map outside_map 1 match address vpn1

crypto map outside_map 1 set peer 10.3.1.101

crypto map outside_map 1 set transform-set my-set1

crypto map outside_map interface outside

!

crypto map outside_map 2 match address backupvpn1

crypto map outside_map 2 set peer 10.4.1.101

crypto map outside_map 2 set transform-set my-set1

crypto map outside_map interface backup

!

crypto ipsec transform-set my-set2 esp-3des esp-sha-hmac

crypto map outside_map 3 match address vpn2

crypto map outside_map 3 set peer 10.1.1.101

crypto map outside_map 3 set transform-set my-set2

crypto map outside_map interface outside

!

crypto map outside_map 4 match address backupvpn2

crypto map outside_map 4 set peer 10.2.1.101

crypto map outside_map 4 set transform-set my-set2

crypto map outside_map interface backup

!

tunnel-group 10.3.1.101 type ipsec-l2l

tunnel-group 10.3.1.101 ipsec-attribute

pre-shared-key cisco

isakmp keepalive threshold 20 retry 3

!

tunnel-group 10.4.1.101 type ipsec-l2l

tunnel-group 10.4.1.101 ipsec-attribute

pre-shared-key cisco

isakmp keepalive threshold 20 retry 3

!

tunnel-group 10.1.1.101 type ipsec-l2l

tunnel-group 10.1.1.101 ipsec-attribute

pre-shared-key cisco

isakmp keepalive threshold 20 retry 3

!

tunnel-group 10.2.1.101 type ipsec-l2l

tunnel-group 10.2.1.101 ipsec-attribute

pre-shared-key cisco

isakmp keepalive threshold 20 retry 3

!

mtu backup 1500

if this correct than what should i configure on other side i mean complete opposite to this. Is my crypto map address name vpn1 should match on other side or not???

any suggestion is good........

thanks...

Federico Coto Fajardo · ‎12-12-2010

What I mean with routing is that either with a routing protocol or static routes the ASA can choose between interfaces to establish the tunnel.

If the ASA has the crypto map applied to two interfaces, then one should be used as primary and the other as backup.

How will the ASA choose which one is preferred? Via routing.

If using a routing protocol, the ASA will known which interface to send the packets out each time, but if using static routes you need to modify the metric and configure IP SLA.

Federico.

View solution in original post

Federico Coto Fajardo · ‎12-12-2010

Hi,

The interesting traffic on the other side should be a mirror of this side.

The crypto map name does not need to match on the other end.

When you need multiple peers, you use a unique crypto map name with several instances (as you have it).

The other important part is the routing.

The routes will decide which interface to use to negotiate the tunnel and fallback to the backup.

Federico.

abhishek.shah · ‎12-12-2010

Thanks for reply

My other side Config is like this way.......i just want to know where i need routing!!!!

local ip: 172.16.101.0

pubic ip: 10.3.1.101, 10.4.1.101

remote local ip: 172.16.100.0

remote public ip: 10.5.1.101, 10.6.1.101

remote local ip: 192.168.0.0

remote public ip: 10.1.1.101, 10.2.1.101

tunnel configuration on Firewall 3 to 4 Union:

access-list vpn1 permit ip 172.16.101.0 255.255.255.0 172.16.100.0 255.255.255.0

access-list backupvpn1 permit ip 172.16.101.0 255.255.255.0 172.16.100.0 255.255.255.0

access-list vpn3 permit ip 172.16.101.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list backupvpn3 permit ip 172.16.101.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list nonat permit ip 172.16.101.0 255.255.255.0 172.16.100.0 255.255.255.0

access-list nonat permit ip 172.16.101.0 255.255.255.0 192.168.0.0 255.255.255.0

!

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

!

crypto isakmp enable outside

crypto isakmp enable backup

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

!

crypto ipsec transform-set my-set1 esp-3des esp-sha-hmac

crypto map outside_map 1 match address vpn1

crypto map outside_map 1 set peer 10.5.1.101

crypto map outside_map 1 set transform-set my-set1

crypto map outside_map interface outside

!

crypto map outside_map 2 match address backupvpn1

crypto map outside_map 2 set peer 10.6.1.101

crypto map outside_map 2 set transform-set my-set1

crypto map outside_map interface backup

!

crypto ipsec transform-set my-set3 esp-3des esp-sha-hmac

crypto map outside_map 5 match address vpn3

crypto map outside_map 5 set peer 10.1.1.101

crypto map outside_map 5 set transform-set my-set2

crypto map outside_map interface outside

!

crypto map outside_map 6 match address backupvpn3

crypto map outside_map 6 set peer 10.2.1.101

crypto map outside_map 6 set transform-set my-set3

crypto map outside_map interface backup

!

tunnel-group 10.5.1.101 type ipsec-l2l

tunnel-group 10.5.1.101 ipsec-attribute

pre-shared-key cisco

isakmp keepalive threshold 20 retry 3

!

tunnel-group 10.6.1.101 type ipsec-l2l

tunnel-group 10.6.1.101 ipsec-attribute

pre-shared-key cisco

isakmp keepalive threshold 20 retry 3

!

tunnel-group 10.1.1.101 type ipsec-l2l

tunnel-group 10.1.1.101 ipsec-attribute

pre-shared-key cisco

isakmp keepalive threshold 20 retry 3

!

tunnel-group 10.2.1.101 type ipsec-l2l

tunnel-group 10.2.1.101 ipsec-attribute

pre-shared-key cisco

isakmp keepalive threshold 20 retry 3

!

mtu backup 1500

other side tunnel i configured like this way so thats all i need to configure on firewall or i need anything else to work.

Federico Coto Fajardo · ‎12-12-2010

What I mean with routing is that either with a routing protocol or static routes the ASA can choose between interfaces to establish the tunnel.

If the ASA has the crypto map applied to two interfaces, then one should be used as primary and the other as backup.

How will the ASA choose which one is preferred? Via routing.

If using a routing protocol, the ASA will known which interface to send the packets out each time, but if using static routes you need to modify the metric and configure IP SLA.

Federico.

abhishek.shah · ‎12-12-2010

got it......

Thanks...for your help..

Did you see my config in last post is that right or not? this config is the last config on other two firewall...so plz tell me did i configure right or wrong?

local ip: 192.168.0.0

pubic ip: 10.3.1.101, 10.4.1.101

remote local ip: 172.16.100.0

remote public ip: 10.5.1.101, 10.6.1.101

remote local ip: 172.16.101.0

remote public ip: 10.3.1.101, 10.4.1.101

tunnel configuration on Firewall 5 and 6:

access-list vpn2 permit ip 192.168.0.0 255.255.255.0 172.16.100.0 255.255.255.0

access-list backupvpn2 permit ip 192.168.0.0 255.255.255.0 172.16.100.0 255.255.255.0

access-list vpn3 permit ip 192.168.0.0 255.255.255.0 172.16.101.0 255.255.255.0

access-list backupvpn3 permit ip 192.168.0.0 255.255.255.0 172.16.101.0 255.255.255.0

access-list nonat permit ip 192.168.0.0 255.255.255.0 172.16.100.0 255.255.255.0

access-list nonat permit ip 192.168.0.0 255.255.255.0 172.16.101.0 255.255.255.0

!

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

!

crypto isakmp enable outside

crypto isakmp enable backup

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

!

crypto ipsec transform-set my-set2 esp-3des esp-sha-hmac

crypto map outside_map 3 match address vpn2

crypto map outside_map 3 set peer 10.5.1.101

crypto map outside_map 3 set transform-set my-set2

crypto map outside_map interface outside

!

crypto map outside_map 4 match address backupvpn2

crypto map outside_map 4 set peer 10.6.1.101

crypto map outside_map 4 set transform-set my-set2

crypto map outside_map interface backup

!

crypto ipsec transform-set my-set3 esp-3des esp-sha-hmac

crypto map outside_map 5 match address vpn3

crypto map outside_map 5 set peer 10.3.1.101

crypto map outside_map 5 set transform-set my-set3

crypto map outside_map interface outside

!

crypto map outside_map 6 match address backupvpn3

crypto map outside_map 6 set peer 10.4.1.101

crypto map outside_map 6 set transform-set my-set3

crypto map outside_map interface backup

!

tunnel-group 10.5.1.101 type ipsec-l2l

tunnel-group 10.5.1.101 ipsec-attribute

pre-shared-key cisco

isakmp keepalive threshold 20 retry 3

!

tunnel-group 10.6.1.101 type ipsec-l2l

tunnel-group 10.6.1.101 ipsec-attribute

pre-shared-key cisco

isakmp keepalive threshold 20 retry 3

!

tunnel-group 10.3.1.101 type ipsec-l2l

tunnel-group 10.3.1.101 ipsec-attribute

pre-shared-key cisco

isakmp keepalive threshold 20 retry 3

!

tunnel-group 10.4.1.101 type ipsec-l2l

tunnel-group 10.4.1.101 ipsec-attribute

pre-shared-key cisco

isakmp keepalive threshold 20 retry 3

!

mtu backup 1500

just wana now did i need any more configuration or not????