cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3131
Views
0
Helpful
6
Replies

Site to site VPN between two datacenter from one location

Hi All,

Can any one please help me out with below VPN config.

I have two data center one at 10.20.X.X network and the other in 10.70.X.X network.

i am in 172.10.X.X network. In-between both the data center i am having a 1gig link. I need to create a site to site VPN from 172.10.X.X network , so that when i access 10.20.X.X trffic , it should go to that data center and when i access 10.70 network then should go to the other. and when one of the link gets failed, all the traffic should flow from one link.

Can any one help me with the configuration of it.

 

Regards

Pradeep menon

6 Replies 6

Fabian Ortega
Level 1
Level 1

Hello Pradeep,

 

I can help you with the configuration but I need more details.

 

1. Are you configuring this L2L VPN on an ASA or an IOS Device?

2. Please share the configuration parameters (PHASE1 and PHASE2) and encryption domains. If possible running configuration from the devices.

Thank you Fabian,

This a completely new setup. We do have two three ASA. for this config. 

As mentioned between 10.70 and 10.20 i have 1 gig link. i need a setup from 172.28 network to both the data center which do send only the specific traffic . ie. for 10.70 network only 10.70 traffic to be forwarded from 172.28. and for 10.20 only 10.20 traffic from 172.28 network. and if 10.70 links goes down, complete traffic should be in 10.20 link.

Let me know if you need any more detail.

Hello Pradeep,

 

I just need to know what is the device you need this configuration on so I can give you the proper command (IOS and ASA commands are different). Please let me know the model and the firmware version the device is running. In this case we need to configure two devices, therefore I need the model and firmware version from both of them.

10.20 network is  ASA5520, Version 9.0(1).

10.70 network is ASA5540 , Version 9.1(5)

 

172.28 network do have  is ASA 5520, Version 9.0(1).

Any update Fabian, 

Can you please help me with the config

Hello Pradeep,

This configuration is a template (do not copy and paste it since I could overwrite an existing IPSec tunnel; please be careful when defining the sequence number on the crypto map and make sure there are not other using the same number as well as the IKEV1 policy.)

ASA5520, Version 9.0(1) Configuration:

object network INSIDE_NETWORK
        subnet 10.20.0.0 255.255.0.0
object network REMOTE_NETWORK
        subnet 10.70.0.0 255.255.0.0

access-list CRYPTOACL permit ip 10.20.0.0 255.255.0.0 10.70.0.0 255.255.0.0
      
    group-policy GroupPolicy_<REPLACE WITH PEER IP> internal
         group-policy GroupPolicy_<REPLACE WITH PEER IP> attributes
           
          tunnel-group <REPLACE WITH PEER IP> type ipsec-l2l
          tunnel-group <REPLACE WITH PEER IP> general-attributes
            default-group-policy GroupPolicy_<REPLACE WITH PEER IP>
         tunnel-group <REPLACE WITH PEER IP> ipsec-attributes
            ikev1 pre-shared-key <REPLACE WITH PSK>
 
     
 crypto ikev1 policy 50
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

     
crypto ikev1 enable outside

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
      
      crypto map outside_map 50 match address CRYPTOACL
      crypto map outside_map 50 set  peer  <REPLACE WITH PEER IP>
      crypto map outside_map 50 set  ikev1 transform-set  ESP-AES-128-SHA     
      crypto map outside_map interface  outside
      
nat (inside,outside) 1 source static INSIDE_NETWORK INSIDE_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK no-proxy-arp route-lookup

 

ASA5540 , Version 9.1(5):


object network INSIDE_NETWORK
        subnet 10.70.0.0 255.255.0.0
object network REMOTE_NETWORK
        subnet 10.20.0.0 255.255.0.0

access-list CRYPTOACL permit ip 10.70.0.0 255.255.0.0 10.20.0.0 255.255.0.0
      
    group-policy GroupPolicy_<REPLACE WITH PEER IP> internal
         group-policy GroupPolicy_<REPLACE WITH PEER IP> attributes
           
          tunnel-group <REPLACE WITH PEER IP> type ipsec-l2l
          tunnel-group <REPLACE WITH PEER IP> general-attributes
            default-group-policy GroupPolicy_<REPLACE WITH PEER IP>
         tunnel-group <REPLACE WITH PEER IP> ipsec-attributes
            ikev1 pre-shared-key <REPLACE WITH PSK>
 
     
 crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

     
crypto ikev1 enable  outside

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
      
      crypto map outside_map 50 match address CRYPTOACL
      crypto map outside_map 50 set  peer  <REPLACE WITH PEER IP>
      crypto map outside_map 50 set  ikev1 transform-set  ESP-AES-128-SHA     
      crypto map outside_map interface  outside
      
nat (inside,outside) 1 source static INSIDE_NETWORK INSIDE_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK no-proxy-arp route-lookup