Solved: VPN Design question / which solution is the best option?

kenkaplan · ‎08-13-2015

Hi all, Doing a design where this remote branch will have two routers going back to a pair of ASA’s . Only one routers need to be active at any one time. . The goal of the design is to avoid extra peer configuration on the HQ ASA’s. (not needing two sets of VPN policy for each peer on the head end)

So from the branch side, We would like the source of the VPN traffic to appear from one IP. This IP will somehow shared between the two units( loopback or other). Much like the way an ASA that shares an IP for its VPN connection.

I’m thinking the two routers external interfaces will be on the same subnet on a /29 running a gateway redundancy protocol(HSRP) with only one unit active. Is it possible to use one of the(/29 IP’)s as a /32 on both the units as only one as active? This IP would be the VPN PEER address shared between the two units. Also, I need to split some traffic to the internet and the remaining into the VPN.

This is not my first time configuring VPNs, but wanted to know if there’s a better solution as there so many options.

Thanks

K

Karsten Iwen · ‎08-13-2015

You can bind your crypto map to an HSRP-address for redundancy.
If your main goal is to reduce the config on the HQ-gateway, then I would also consider using two routers at the HQ and use FlexVPN, DVTIs or DMVPN. With that you have much more flexibility in your deployment.

View solution in original post

Karsten Iwen · ‎08-13-2015

You can bind your crypto map to an HSRP-address for redundancy.
If your main goal is to reduce the config on the HQ-gateway, then I would also consider using two routers at the HQ and use FlexVPN, DVTIs or DMVPN. With that you have much more flexibility in your deployment.