05-18-2022 04:14 PM
In our environment we have two sites, each site is behind an ASA firewall. The sites are connected through a lower-speed WAN link (e.g. 10.70.0.1, 10.71.0.1) and a higher-speed leased line. I'd like to encrypt the traffic between the two sites but with the option of directing particular traffic through the lower-speed WAN link and directing other traffic through the higher-speed leased line.
The description of transport mode seemed like it would help me since I'd like to retain the original IP headers for routing purposes, but after setting up the VPN tunnel to be transport mode, the encryption has not been successful.
My current approach is to connect an additional physical interface (e.g. 10.20.0.1, 10.21.0.1) on each firewall to the WAN and have a different ACL for each interface to mark interesting traffic for encryption. This would allow me to leverage routing on the WAN to have one VPN tunnel take the leased line path and the other take the default routing path. However, after setting up a different crypto map and assigning it to the new interface, it seems the traffic does not go through the leased line interface.
I have also tried configuring a route-map with 2 different access-lists so that regular WAN traffic would be forwarded out the usual WAN interface and other Leased Line traffic would be forwarded out the new interface. However this doesn't seem to trigger the VPN tunnel to be established.
Am I missing some configuration or should I approach the problem in a different way?
There are a lot of configuration portions to it so I didn't want to make this question more bloated.
To clarify, I have successfully set up a single regular site-to-site tunnel between the two firewalls and was successful in creating an IKEv2 SA between them for interesting traffic. So I know the crypto, tunnel-group, NAT configurations started off correct.
Solved! Go to Solution.
05-23-2022 02:05 PM
sorry for my Q If we finally will use PBR why then we use VTI ??
05-23-2022 02:21 PM - edited 05-23-2022 02:27 PM
It's a weird situation that I found myself in. The reason I need 2 VTIs is because I have 2 paths between Site A and Site B:
For my purposes, I need to set up encryption for all traffic between Site A and Site B, but if I were to only use regular VPN tunnels, then the tunnel would take the default internal network path (Path 1) and all traffic would end up going through that tunnel and cause issues since it has lower bandwidth. This led me to using VTIs, so I can have a separate tunnel, with separate IP addresses, so that I can leverage routing and have the tunnel take the leased line path (Path 2).
With the 2 tunnels set up, now I need PBR to decide what traffic I am comfortable encrypting and sending through the leased line (Path 2) and what traffic I'd like to encrypt and send through Path 1.
It could be that in my approach to solve the issue I made it more complicated.
05-23-2022 02:33 PM
Thanks for your answer.
Glad that your issue solved.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide