Solved: Cisco ASA IPSEC VPN dual ISP

gaigl · ‎03-27-2023

Hello,

Situtation:

in the HQ we've a active/standby Firepower 2120 with ASA Software

in the Branch should be a Firepower 1010 with ASA Software

the HQ is redundant, the Branch has 2 ISP's; one leased Line with fix IP, one DSL-Backup (pppoe with fixed IP)

Now I need a IPSec L2L from Branch to HQ with failover to the DSL-Backup.

I've read I could (on Branch) enter both outside-interface in the Tunnel-Group, is this correct? Only on the CLI?

But how can I configure Tunnel-Group on HQ?

Any Help is appreciated, thank you

Rob Ingram · ‎04-03-2023

@gaigl so the VPN failed over to the secondary link and the IPSec SA were established correctly? If you have no encaps but some decaps that usually indicates a NAT or routing issue.

So the LAN switch routes all outbound traffic via the ASA, which then has a default route via the correct outside interface? Which should now be the secondary interface right?

Do you have a second NAT exemption rule specific to the secondary interface to ensure traffic is not unintentially translated?

Somthing like this:-

nat (inside,outside1) source static LAN LAN destination static REMOTE REMOTE
nat (inside,outside2) source static LAN LAN destination static REMOTE REMOTE

Provide the routing configuration changes you made, including the SLA/tracking.

View solution in original post

Rob Ingram · ‎03-28-2023

@gaigl you'd enable crypto on both outside interfaces of the branch ASA. Use IP SLA to track the default route via ISP1, which would failover to the DSL backup in the event the leased line fails.

On the HQ, create 2 tunnel groups (use the IP address of the branch interface IP address) and define the authentication (PSK). Define a secondary peer IP address (of the DSL backup interface) under the crypto map.

Here is a similar example: https://integratingit.wordpress.com/2023/02/11/asa-dual-isp-backup-vpn/

gaigl · ‎03-28-2023

I'm trying some Parts, I'm not yet ready with Tests (becaus some other Work)

thank you

MHM Cisco World · ‎03-28-2023

I will run lab using ASA HA and other ASA as branch (sorry I dont have FPR now)
do you want to see this lab ?
please confirm
thanks
MHM

gaigl · ‎03-28-2023

Hello,

how can I see the Lab? would be interesting, thank you

MHM Cisco World · ‎03-28-2023

Sure I will run lab share here tonight.

gaigl · ‎03-30-2023

Hello,

I almost got it

at Branch Cryptomap with 2 Interfaces

crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs
crypto map outside_map1 1 set peer $IP of HQ
crypto map outside_map1 1 set ikev2 ipsec-proposal AES256SHA512
crypto map outside_map1 1 set ikev2 pre-shared-key *****
crypto map outside_map1 1 set security-association lifetime seconds 3600
crypto map outside_map1 1 set nat-t-disable
crypto map outside_map1 interface outside
crypto map outside_map1 interface outside-2

on the HQ Cryptomap with 2 peers

crypto map outside_map1 1 match address outside_cryptomap_1
crypto map outside_map1 1 set pfs
crypto map outside_map1 1 set peer $IP-of-outside $IP-of-outside-2
crypto map outside_map1 1 set ikev2 ipsec-proposal AES256SHA512
crypto map outside_map1 1 set security-association lifetime seconds 3600
crypto map outside_map1 1 set nat-t-disable
crypto map outside_map1 interface outside

static Routes with different metrics

but if I cut the primary connection, I don't get a tunnel via second connection

Error: %ASA-5-750007: IP of outside-2 ...IKEv2 SA DOWN Reason: peer phase 2 mismatch

I've no tracking/SLA in the static routes configured, does this solve the Problem?

should I see an additional crypto SA for the secondary Adress?

Thank you

MHM Cisco World · ‎03-30-2023

if you can same config
in HQ use set peer <peer1><peer2>
but with IKEv1
and also use keepalive in both FW.

please check Mr. @Rob Ingram suggestion before apply my.

for my lab I try using VTI not policy based VPN.

Rob Ingram · ‎03-30-2023

@gaigl did you create a second tunnel-group on the HQ ASA for the branch outside-2 IP address?

Please provide the rest of the VPN configuration for both ASAs.

Multi peer is supported with IKEv2. Example of multi peer.

gaigl · ‎03-30-2023

HQ:

interface Ethernet1/1
nameif outside
security-level 0
ip address 8.8.8.8 255.255.255.0 standby 8.8.8.9
!
interface Ethernet1/2
nameif inside
security-level 100
ip address 192.168.5.11 255.255.255.0 standby 192.168.5.12

object-group network DM_INLINE_NETWORK_1
network-object object BVK-LAN
network-object object DMZ-1
network-object object DMZ-2
network-object object DMZ-3
network-object object BVBN_NET
network-object object NET-ANYCONNECT
network-object object NET-VOIP

object network TEST-RV
subnet 172.25.0.0 255.255.0.0

access-list outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_1 object TEST-RV

crypto ipsec ikev2 ipsec-proposal AES256SHA512
protocol esp encryption aes-256
protocol esp integrity sha-512
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map1 1 match address outside_cryptomap_1
crypto map outside_map1 1 set pfs
crypto map outside_map1 1 set peer 8.8.8.20 8.20.8.20
crypto map outside_map1 1 set ikev1 transform-set AES256SHA
crypto map outside_map1 1 set ikev2 ipsec-proposal AES256SHA512
crypto map outside_map1 1 set security-association lifetime seconds 3600
crypto map outside_map1 1 set nat-t-disable
crypto map outside_map1 interface outside

crypto ikev2 policy 1
encryption aes-256 aes-192
integrity sha512 sha384 sha256
group 14
prf sha512 sha384 sha256
lifetime seconds 3600

tunnel-group 8.8.8.20 type ipsec-l2l
tunnel-group 8.8.8.20 general-attributes
default-group-policy GP_IKEV2
tunnel-group 8.8.8.20 ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 8.20.8.20 type ipsec-l2l
tunnel-group 8.20.8.20 general-attributes
default-group-policy GP_IKEV2
tunnel-group 8.20.8.20 ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

--------------------------------------------------
BRANCH

interface Ethernet1/1
no switchport
nameif outside
security-level 0
ip address 8.8.8.20 255.255.255.240
!
interface Ethernet1/2
no switchport
nameif outside-2
security-level 0
ip address 8.20.8.20 255.255.255.224
!
interface Ethernet1/3
no switchport
nameif inside
security-level 100
ip address 172.25.1.1 255.255.0.0
!
object network AUSSENSTELLEN_TEST_LAN
subnet 172.25.0.0 255.255.0.0

object-group network DM_INLINE_NETWORK_1
network-object object BVK-LAN
network-object object BVBN_NET
network-object object DMZ_I
network-object object DMZ_II
network-object object DMZ_III
network-object object NET-ANYCONNECT
network-object object NET-VOIP

access-list outside_cryptomap extended permit ip object AUSSENSTELLEN_TEST_LAN object-group DM_INLINE_NETWORK_1

crypto ipsec ikev2 ipsec-proposal AES256SHA512
protocol esp encryption aes-256
protocol esp integrity sha-512
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association replay window-size 1024
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs
crypto map outside_map1 1 set peer 8.8.8.8
crypto map outside_map1 1 set ikev2 ipsec-proposal AES256SHA512
crypto map outside_map1 1 set ikev2 pre-shared-key *****
crypto map outside_map1 1 set security-association lifetime seconds 3600
crypto map outside_map1 1 set nat-t-disable
crypto map outside_map1 interface outside
crypto map outside_map1 interface outside-2

crypto ikev2 policy 1
encryption aes-256 aes-192
integrity sha512 sha384 sha256
group 14
prf sha512 sha384 sha256
lifetime seconds 3600

crypto ikev2 enable outside
crypto ikev2 enable outside-2

dynamic-access-policy-record DfltAccessPolicy
username admin password ***** pbkdf2 privilege 15
tunnel-group 8.8.8.8 type ipsec-l2l
tunnel-group 8.8.8.8 general-attributes
default-group-policy GP_IPSEC_2
tunnel-group 8.8.8.8 ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!

(public IP not real)

gaigl · ‎03-30-2023

edit: the IKEv1 lines are now removed, was an unsuccessfull test

gaigl · ‎03-30-2023

Hello Rob, I dont use SLA/Tracking till now.

I configured the routes with different metrics like this:

route outside-2 172.27.0.0 255.255.0.0 GW-ISP1 10
route outside 172.28.0.0 255.255.0.0 GW-ISP2 1
route outside-2 172.28.0.0 255.255.0.0 GW-ISP1 10
route outside 172.29.0.0 255.255.0.0 GW-ISP2 1
route outside-2 172.29.0.0 255.255.0.0 GW-ISP1 10
route outside 172.30.0.0 255.255.0.0 GW-ISP2 1
route outside-2 172.30.0.0 255.255.0.0 GW-ISP10 10

Rob Ingram · ‎03-30-2023

Ok, that doesn't look right, you aren't tracking a route and why not track the default route? What about the IP SLA and tracking configuration itself?

Is SLA/tracking working as expected?

I previously provided an example of this scenario with SLA/tracking configuration.

gaigl · ‎03-30-2023

Hi Rob,

I've got no expirience in tracking/SLA and I can't ping the Gateway of the ISP, I don't get echo-reply

Rob Ingram · ‎03-30-2023

Ok, well you need to track something to detect if that "outside" interface is up, perhaps track the outside IP address of another of your sites?

The link I provided has an example of IP SLA/Tracking and shows you how to configure tracking a route.