Showing results for 
Search instead for 
Did you mean: 

Site to site vpn with redundant ISPs

Level 1
Level 1

We have the following scenario on a Cisco ASA 5516


Site A has 2 ISPs.. ISP1 and ISP2 which ISP1 is the main and ISP2 is the redundant (with a different Public IP)

Site B has 1 ISP and is using PFsense

We have a Site to Site VPN configured using IPSec from Site A to Site B which is configured on ISP 1.


We need to configure a second redundant VPN connection from Site A to Site B using ISP2 connection. This will only be used in case the primary connection will fail.

Is it possible to configure the 2nd VPN connection that will automatically kick in in case the other connection fails? 


2 Replies 2

Bogdan Nita
VIP Alumni
VIP Alumni

On the side with redundant isps, you can apply the same crypto map to both isp interfaces and enable ike on both interfaces as well, then let the routing decide which isp should be used.

For routing you can use a static route with sla, if you already have one in place for that can be also used, just make sure you have identity nat configured for the vpn destination on both isp interfaces.

Not sure how to configure the pfsense, but if that would be an asa I would have both remote public IPs configured as peer on the crypt map.




I have the same problem and this is great news. So simple but makes sense.