Solved: Re: Sleeping VPN tunnel

hunnetvl01 · ‎04-20-2009

Hello all,

I have a ASA 5510 with a l2l IPSEC tunnel active and working.

Now, I need to configure a " sleeping VPN tunnel" which will have a different peer and will not be active and no traffic will be passed through this tunnel.

Did anybody do this ?

Thanks

V

andrew.prince · ‎04-21-2009

At the end of the day only configuring phase 1 - it what you have 90% current done now, as you already have an existing VPN tunnel configured. The only difference is the tunnel group information with a pre-shared key.

To be totally honest why would you need to have a half configured VPN tunnel - you may as well not have anything configured until you need it, then cut and paste all the config in.

Or you could be smarter and create an orignate only tunnel - with or without a crypto acl to determine which traffic will create/traverse the VPN, or have multiple tunnels with a dynamic routing protocol deciding which is used - there are options, you just need to understand the problem/requirement.

View solution in original post

andrew.prince · ‎04-20-2009

If you only want a tunnel that you bring up when there is something to go over it, then configure it to be an "originate" only tunnel and not a "bi-directional"

HTH>

hunnetvl01 · ‎04-20-2009

I spoke to some guys more experienced then me and they suggested something like just configure only phase 1.

Now thats not the problem , but my concern is , will this config meet my requirements??

Thanks,

V

andrew.prince · ‎04-21-2009

At the end of the day only configuring phase 1 - it what you have 90% current done now, as you already have an existing VPN tunnel configured. The only difference is the tunnel group information with a pre-shared key.

To be totally honest why would you need to have a half configured VPN tunnel - you may as well not have anything configured until you need it, then cut and paste all the config in.

Or you could be smarter and create an orignate only tunnel - with or without a crypto acl to determine which traffic will create/traverse the VPN, or have multiple tunnels with a dynamic routing protocol deciding which is used - there are options, you just need to understand the problem/requirement.

hunnetvl01 · ‎04-21-2009

Thanks Andrew!

andrew.prince · ‎04-21-2009

np - glad to help, thanks for the rating.

hunnetvl01 · ‎04-21-2009

Andrew-

I will have something like this.

access-list 85 extended permit ip host 219.x.x.x host 10.x.x.x

crypto ipsec transform-set ttt esp-3des esp-sha-hmac

crypto map bbb 30 match address 85

crypto map bbb 30 set peer 210.x.x.x

crypto map bbb 30 set transform-set ttt

crypto map bbb 30 set security-association lifetime seconds 3600

crypto map bbb interface Outside

crypto isakmp identity hostname

crypto isakmp enable Outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 210.x.x.x type ipsec-l2l

tunnel-group 210.x.x.x ipsec-attributes

pre-shared-key *

crypto map bbb 31 connection-type originate-only

crypto map bbb 31 match address 85

crypto map bbb 31 set peer 131.x.x.x

crypto map bbb 31 set transform-set ttt

crypto map bbb 31 set security-association lifetime seconds 3600

tunnel-group 131.x.x.x type ipsec-l2l

tunnel-group 131.x.x.x ipsec-attributes

pre-shared-key *

Just a question I forgot: how will these 2 failover?

Thanks,

V

andrew.prince · ‎04-21-2009

OK - if you want redundant VPNtunnels, as it appears from the above config, then just add the second peer to the crypto 30 set.

This just means that if peer 210.x.x.x is down/unreachable then use the next peer.

crypto map bbb 30 set peer 210.x.x.x 131.x.x.x

HTH>