VPN redundancy question

josephqiu · ‎10-22-2008

I have two sites both having two internet connections. Each site there is an ASA 5520, and I wish to create redundant VPN tunnels between the two ASA's. I would like to use ISP1 for the primary tunnel, and ISP2 for the secondary. Since the interesting traffic ACL for both tunnels will be the same, I saw someone using multiple "set peer" commands in the same crypto map, and define multiple tunnel-group peers as well. I'm just wondering how the "set peer" commands will be used, i.e. the first "set peer" command will define the primary tunnel and then the 2nd command define the secondary tunnel? Any one tried it before? Thanks in advance.

Example:

ASA at site A:

crypto map xxxmap 10 ipsec-isakmp

crypto map xxxmap 10 match address A_2_B

crypto map xxxmap 10 set peer 10.1.1.1 !--ISP1

crypto map xxxmap 10 set peer 192.168.1.1 !--ISP2

crypto map xxxmap 10 set transform-set xxxset

tunnel-group 10.1.1.1 type ipsec-l2l

tunnel-group 10.1.1.1 ipsec-attributes

pre-shared-key *

tunnel-group 192.168.1.1 type ipsec-l2l

tunnel-group 192.168.1.1 ipsec-attributes

pre-shared-key *

ASA at site B:

crypto map xxxmap 10 ipsec-isakmp

crypto map xxxmap 10 match address B_2_A

crypto map xxxmap 10 set peer 10.1.1.2 !--ISP1

crypto map xxxmap 10 set peer 192.168.1.2 !--ISP2

crypto map xxxmap 10 set transform-set xxxset

tunnel-group 10.1.1.2 type ipsec-l2l

tunnel-group 10.1.1.2 ipsec-attributes

pre-shared-key *

tunnel-group 192.168.1.2 type ipsec-l2l

tunnel-group 192.168.1.2 ipsec-attributes

pre-shared-key *

bwilmoth · ‎10-29-2008

The â€œcrypto dynamic-map set peerâ€ is used to Identify the peer in the dynamic crypto map entry by IP address, as defined by the name command.

david.xu · ‎03-02-2009

Have you tried this setting? and worked?

josephqiu · ‎04-09-2009

No, I didn't test it. But based on my understanding, multiple "set peer" commands may not be an ideal solution for tunnel redundancy. So I gave it up, and used some other solution.

nicolas.dubois · ‎04-10-2009

Hi guys I have to do the same setup ? Does someone have tested it?

Sureshdank · ‎04-10-2009

Hi All,

I havent tried with multiple Peer IPs. But I have posted similar post I got the answer to configure multiple Peer IPs in the same crypto map. And after that we need to enable one more command i.e. set peer default.

Wherein the VPN device will take the first peer IP as primary and whenever the primary is not reacheble then it will try with secondary.

But the problem with this setup is we need to manually switchover from secondary to primary once primary comes up and their is some downtime when VPN device switches from primary peer ip to secondary.

One more way is to configure Dyamnic routing protocol and confiure GRE over IPSec.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a008009430a.shtml

Regards,

Suresh Kumar

josephqiu · ‎04-10-2009

This should work although I haven't done testing myself. It has no difference than creating a tunnel to a second VPN peer. But, remember, this provides you VPN peer redundancy not tunnel redundancy. The 2nd VPN peer should have exactly the same tunnel configurations to make it work, which may rely on the routing failover as well. Another concern is dead peer detection - how soon the 2nd peer is used after the 1st one is detected to be dead. Once these are sorted out and considered meeting your requirements, it should be a working solution.