Redundant VPN design

Similar Questions

• Question of redundancy VPN l2l using 2811 as endpoint devices

  I have a new implementation of VPN L2L passes using two 2811 s than VPN terminal devices. I'll try to use the HSRP address between the public interfaces of both routers as VPN peer address. The problem that I found during the test is that the tunnel will become active and debugs watch the HSRP address as an invalid address to form the tunnel. Have a work-around, or a better plan for redundancy on peering address using similar devices? Thanks in advance.

  Take a look at this doc about IOS IPSec HA.

  http://www.Cisco.com/en/us/docs/iOS/security/configuration/guide/sec_vpn_ha_enhance_ps6922_TSD_Products_Configuration_Guide_Chapter.html#wp1039849

• Redundancy VPN by destination?

  Hi all, I am trying to set up a vpn for one of my clients. they must have the same tunnel vpn with same source - destination traffic but destined for two different periods of public inquiry. so this should have sort of a primary vpn if it don't then a secondary vpn must support. This isn't the redundant Internet access provider scenario.

  A network - B - vpn - terminate on X (most preffered)

  A network - B - vpn - terminate on Y (less preferred)

  On the ASA, you can do it with the primary encryption card with a higher priority than backup, but using the same ACL. If the first card cannot peer, the other will be implemented. It should be lower setting on the IPSec Security Association lifetime for this. You can also only defining the hub in single are created and the rays or receive only so that you do not have a RADIUS, creating a new SA when you do not want that it is for me.

• Double firewall, config VPN design question?

  All,

  I'm looking to implement a design of double firewall with different suppliers, i.e. Cisco at the front and another seller behind that. The Cisco ASA will manage the ends of the VPN. It's a design recommended to us.

  The reason was the front towards the firewall (cisco) will block most of the noise, and then the second firwall will make inspection of the IPS etc. Apparently, this is also done incase there are vulnerabilities with the first provider. The DMZ interface will in fact come the second firewall.

  I am currently working, what if all remote users terminate their VPN at the edge of the ASAs, what is the best way have to move towards the second firwall, then again on the internet so we can apply the policy to users / and inspection?

  There are no facilities on the front to ASAs IPS inspection, just a bog without visibility L7 stock Firewall (as this responsibility will lie with the second firewall).

  Looking for information so that I can start looking...

  The MCV is a great place to start.

  http://www.Cisco.com/en/us/solutions/ns340/ns414/ns742/ns1128/landing_iEdge.html

• VPN design tips

  I usually deal with issues of LAN/WAN, but have very little experience with the design of the VPN. I would like to know if I have the right idea or if there is a better solution to target.

  Scenario:

  There is a staff with two remote offices. Remote offices have 10 to 20 people each with little or no planned growth and different firewall solutions. HQ has 40-50 people anticipating exceptional growth and a PIX 515E. The manager would like to remote offices and remote access VPN site to site VPN for the traveler. His biggest concern is the speed through the site to site tunnels.

  My solution:

  Place a hub routers of the 800 series with sets of features VPN and firewalls and VPN 3005 behind the PIX to HQ in remote controls.

  This seems sufficient? Other recommendations?

  No I don't think so. This should be good only for the 515.

• Recovery site - redundant VPN peers

  Hello all, thank you in advance for your expertise.

  We put in place a recovery site disaster that will host the redundant copies of our servers and critical data in Kansas City.  When disaster strikes, our headquarters site would be totally gone.

  We currently have 7 locations that communicate to our HQ via VPN tunnels (whether on a circuit of the Internet or on a circuit of Cox Communications Ethernet WAN).  Branch sites each can an ISR of Cisco 2821 router.  At Headquarters and on the DR site, we use a Cisco ASA 5510 to terminate VPN tunnels and do everything that our column spinal routing.  Routing on the ASA and branch routers is all static, using a routing protocol would be a nice update in the future... any ideas?  We use IPSEC VPN lan lan tunnels 2, no GRE/VPN is used because it is not terminated by the ASA.

  What is the best way to configure my routers for branch to automatically or manually failover to connect to one ASA different site of DR?

  In addition, if my seat is still in place, but either my Internet or Cox headquarters ethernet circuit breaks down.  How can I re - route all traffic in a loop to the seat on the right remains a circuit?

  Is there a better way to do what I want to accomplish?  BGP is not an option at this point due to its complexity.

  Lucas,

  To circumvent the two point separately.

  The best way to provide active / standby time of reundancy is preferred peer in cryptographic cards (on the ISR routers).

  You can choose to establish VPN to HQ and only if HQ is not aid you to DR, when HQ is you will EVENTUALLY return to it.

  The answer to share of your questions may also be the preferred option by peers (and several counterparts in a crypto map entry).

  This being said, you can try to send OSPF traffic to IPsec tunnel (and using the neighbor command to avoid the manipulation of mcast in pure IPsec).

  Docs:

  http://www.Cisco.com/en/us/docs/iOS/sec_secure_connectivity/configuration/guide/sec_ipsec_pref_peer_ps10591_TSD_Products_Configuration_Guide_Chapter.html

  HTH,

  Marcin

  P. S.

  If you want my personal opion, chaning ASAs in HQ and DR sites and put you in routers could make DMVPN or DVTI-ASIT scenario which gives you a lot more features ;-)

• How redundant VPN

  I have two sites with 2921 IPSec routers. Each router has 3 ethernet interfaces. A local area network, Internet, and an Ethernet based private circuit.

  I need the site to site VPN between these routers, on the private circuit. However, this circuit fails on rare opportunity, so I want to have a VPN failover to review the Internet as a backup.

  Doesn't matter to me if it's the primary failover / secondary or if there are load balanced with failover. What is essential, is that if a circuit fails, my remote site continues to communicate with the main office.

  HSRP looks like I need two routers and I don't have one of the HSRP Protocol monitors several LAN interfaces.

  I opened a case with TAC, but it has been a week without any progress.

  Certainly, it is not so hard to do.

  Hey Joe,

  Router eigrp 100

  Network 10.250.1.0 0.0.0.3 #10.250.1.1 is the IP address of the tunnel12

  Network 10.250.1.4 0.0.0.3 #10.250.1.5 is the ip address of the tunnel122

  network 192.168.1.0 # is the LAN segment that must be routed.

  Remote router...

  Router eigrp 100

  Network 10.250.1.8 0.0.0.3 #10.250.1.9 is the IP address of the tunnel0

  Network 10.250.1.12 0.0.0.3 #10.250.1.13 is the IP address of the tunnel1

  network 192.168.12.0 # is the LAN segment that must be routed.

  The two parties should normally be in the same subnet NW

  for example if

  You 12 is connected to tu0

  then

  one side have 10.250.1.1 and the other 10.250.1.2

  If tu122 is connected to tu1

  then

  10.250.1.5 and the other side is 10.250.1.6

  the two eigrp network should be the same

• Redundancy VPN configuration

  We have a VPN connection from site to site with a remote network and want to know if there is anyway to set a secondary IP address peer who would use VPNS to connect in case the primary became unavailable

  Configuration of counterpart of backup for tunnel vpn on the same crypto map

  Problem

  You want to use several counterparts backup for a single vpn tunnel.

  Solution

  Configuration of several counterparts is equivalent to provide a list of relief. For each tunnel, the security apparatus tried to negotiate with the first peer in the list.

  If this peer does not respond, the security apparatus made his way to the bottom of the list until a peer responds, or there is no peer more in the list.

  The SAA must have a card encryption already configured as the primary counterpart. The secondary counterpart could be added after the primary.

  This example configuration shows the primary counterpart as X.X.X.X and Y.Y.Y.Y as peer backup:

  ASA (config) #crypto map mymap 10 peer set X.X.X.X Y.Y.Y.Y

  http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807...

  HTH

  If useful rates

  Sent by Cisco Support technique iPhone App

• Redundancy VPN

  I have a scenario where I have 2 ISPS connected to a different 800 router. Inside network is a single a (10.10.10.0/24). It is a single office and this unique office has a L2L tunnel with another office (office-2). How configure failover and load balancing, and always keep the tunnel if one ISP goes down?

  ciscobigcat,

  I just asked one of the experts switch that I worked with and he told me the 4500 s cannot handle GRE tunnel even if they are L3 switches.  So that would not work for you. 6500 or even the 3700 series switches should be able to do it without problem, but you should talk to your representative local sales to confirm.

  You can absolutely send a tunnel through another tunnel.  The concept is that build you a GRE tunnel between closure of the router behind the ASA closure on Router 1.  Then you build plain ipsec between routers-1 tunnel and the ASA that match all ip traffic between the closure on Router-1 for the closure of the router behind the ASA.

• ASA5505 configure VPN primary and backup

  Dear experts,

  I would like to ask you a few question that now I didn't get any primary VPN and backup connection, how can we do on this is sue? (I mean that when the primary reduction, then backup connection is automatically)

  Could you advice me how can I do?

  Best regards

  Rechard_hk

  I guess we should have asked for a bit more information, it seems Marwan and I responded almost at the same time, and I'm sure he'll provide great info.

  I had more geared towards a scenario of a firewall failure fault tolerance or an ISP connection failed in an architecture Fw DOUBLE and DOUBLE tis.

  Assuming that you want to have redundant firewall design, is when you look into the firewall active / standby to provide firewall redundancy, but when it comes to connections continues with VPN when one firewall fails, this is with characteristic State in place.

  IM providing links for reference belloe to get an idea of fws active and reserve but ASA5505 is the only model who is a stateless person, it is not dynamic which means connections will have to re - perform when one firewall fails.

  Also to implement two firewalls for the implementation of the changeover you need security more license to enable the active feature and reserve. This license will also include the activation of support DMZ and power create a VLAN to 20, as well as support Double TIS.

  Example of active / standby

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

  Comparison of the ASA - Look into Ipsec more license and features.

  http://www.Cisco.com/en/us/products/ps6120/prod_models_comparison.html

  On the other hand you may have in the future a backup ISP link, not only do you have active failover / standby but you can also have a backup ISP must link primary link fails with ALS and follow-up of Staic routing.

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

  Rgds

  Jorge

• VPN failover between the ASA

  I do a search in the search of the best solution for switching between two ASA and hoped that someone wants to point me in the right direction.

  The situation is this, we got:

  -Head Office 2:

  Each is equipped with an ASA 5505

  -10 branches

  Each is equipped with a 887 integrated services router.

  Each is BranchOffice must have a redundant VPN connection at the headquarters of these two, and they all need to use the first person as main and the other in high school. In case of failure, all branches need to use the second connection VPN going the second seat.

  In my research, I'm looking for the best possible solution, with faster failover, but have no idea where to start my research.

  I hope someone has a good answer for this one.

  Thank you very much in advance,

  Kind regards

  Dwayne

  I do not understand why people continue to use ASA devices for VPN endpoint.  the ASA is NOT designed for complex VPN scenarios.  It is designed for simple scenarios.  In terms of VPN by using comparison, ASA is a person with a basic education while Cisco IOS is like a person with a college degree.

  For the scenario, you will be much better using Cisco IOS routers everywhere, where you can implement the GRE/IPSec or DMVPN.  Both cases will be sastify to your needs.

• Branch 5505, 1 circuit ISP, Dual - peer VPN Configuration for Data Center & Track Options

  Hi all

  I have a data center with two lines of ISP redundancy and two ASA 5520 for redundancy VPN to my branches.  Each of my branches has 1 ASA 5505 with a base license and 1 ISP circuit. Currently all my VPN tunnels are built for data center main circuit ISP only, so if one goes down, I'm toast.  I need to fix this. Problem is, I don't know how I can control failover on 5505 with 1 single line branch.  Please see my picture for an example of how he looks at it right now.

  So the problem is that the data center LAN my branch has to go to is identical regardless of which circuit of data center is in the. And I know the ASA rules say only 1 VPN tunnel can be active at a time if flow are the same.  So in this case, I know you usually do:

  card crypto outside_map 1 set 12.x.xxx.20 50.xxx.xx.190 counterpart

  and then configure route followed to control when cut down the primary counterpart and turn back up by peers. But where I have only 1 ISP on the side of the branch, I'll only have 1 default route: route outside 0.0.0.0 0.0.0.0 3.3.3.2 1, will be used that the active end counterpart is the primary or the secondary data center. Also, since I did not have a second track, I can't configure followed on the main road with an SLA that defines the trigger conditions, because there is nothing to ensure the follow-up of the routing.

  How is - a would handle a situation like this? Are there other features that can be taken off the roads?  I really need to be able to define "num-package 5 ' in ALS so my sites are not beat all day, but once again, without something to follow, I can't really set up a meaningful SLAS.  Any help is appreciated.

  Thanks for the additional explanation. It helps to clarify your environment. EIGRP running on the Remote would be a nice option, but I'm not sure that it is supported on the SAA. I ran EIGRP to remote peers using IOS routers (using the two ACCORD with IPsec and VTI tunnels tunnels) and it was very effective. But on the SAA, I believe that we must seek an alternative.

  It seems to me that using reverse road Injection as part of your VPN site-to-site should work. With IPP the ASA inserts a static route to remote resources when the VPN tunnel is negotiated and traffic can flow. If you redistribute the static in EIGRP EIGRP then must learn the ways of any ASA a currently active tunnel. And who should provide the dynamic rollover you need.

  HTH

  Rick

• Configure several IPSec VPN between Cisco routers

  I would like to create multiple ipsec VPN between 3 routers. Before applying it, I would like to check on the config I wrote to see if it works. It's just on RouterA configuration for virtual private networks to RouterB, and RouterC.

  As you can apply in a cyptomap by interface, I say with the roadmap, that it should be able to manage traffic for both routers. Or is there a better way to do it?

  RouterA - 1.1.1.1

  RouterB - 2.2.2.2

  RouterC - 3.3.3.3

  RouterA

  crypto ISAKMP policy 10

  BA 3des

  preshared authentication

  Group 2

  ISAKMP crypto key RouterB address 2.2.2.2

  ISAKMP crypto keys RouterC address 3.3.3.3

  invalid-spi-recovery crypto ISAKMP

  ISAKMP crypto keepalive 5 10 periodicals

  ISAKMP crypto nat keepalive 30

  !

  life crypto ipsec security association seconds 28800

  !

  Crypto ipsec transform-set AES - SHA esp - aes 256 esp-sha-hmac

  !

  outsidemap 20 ipsec-isakmp crypto map

  defined peer 2.2.2.2

  game of transformation-AES-SHA

  match address 222

  outsidemap 30 ipsec-isakmp crypto map

  defined peer 3.3.3.3

  game of transformation-AES-SHA

  match address 333

  !

  interface GigabitEthernet0/0

  Description * Internet *.

  NAT outside IP

  outsidemap card crypto

  !

  interface GigabitEthernet0/1

  Description * LAN *.

  IP 1.1.1.1 255.255.255.0

  IP nat inside

  !

  IP nat inside source map route RouterA interface GigabitEthernet0/0 overload

  !

  access-list 222 allow ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

  access-list 223 deny ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

  access-list 223 allow ip 1.1.1.0 0.0.0.255 any

  access-list 333 allow ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255

  access-list 334 deny ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255

  access-list 334 allow ip 1.1.1.0 0.0.0.255 any

  !

  !

  RouterA route map permit 10

  corresponds to the IP 223 334

  Hi Chris,

  The two will remain active.

  The configuration you have is for several ste VPN site is not for the redundant VPN.

  The config for the redundant VPN is completely different allows so don't confuse is not with it.

  In the redundant VPN configuration both peers are defined in the same card encryption.

  Traffic that should be passed through the tunnel still depend on the access list, we call in the card encryption.

  This access-lsist is firstly cheked and as a result, the traffic is passed through the correct tunnel

  HTH!

  Concerning

  Regnier

  Please note all useful posts

• DMVPN Design using ISP by modem redundancy alongside with rays.

  I'm working on a new DMVPN configuration with a 3745 on hub site and a 1941 speak it. I have internet via gsm for the first line speaks it and a DSL for backup on talk.

  I have a tunnel on the spokes and the hub interfaces. Currently my VPN tunnel is coming up fine, however we are planing to do a failover from the ISP next with rays. given that in the tunnel interface, I can define only a "tunnel source interface" which is the cell interface gsm, I don't know how to use my ISP one another for the same tunnel interface because it will always launch gsm traffic.

  that I have to create another interface of tunnel with same hub site, or do I need another hub as backup?

  is their any other way to create the loopback interface and initiate this loopback traffic?

  Does anyone have any suggestions on how I have to design? or someone has an idea what could be the problem?

  Thank you.

  Hello

  There are many designs to implement A high-availability in DMVPN.  Basically, the design decisions are based on infrastructure, budget, and if you are looking to implement HA for devices DMVPN, ISP links or both.

  on your scenario, you seem to be looking to implement redundancy for DMVPN HA ISP on the right talk. This scenario can be achieved by a single pivot double-cloud design, with double-hub it may also be more highly available.

  The elements of design for your scenario:

  -2 interfaces tunnel using two interfaces physical sources talked about it.

  -two interfaces of tunnel in the hub, they can share the same physical interface.

  -Point-key: using of protocols of dynamic routing in the two clouds with different 'links between costs', so that the main connection at lower cost, and the second connection has the higher cost (to use at default)

  I hope this helps you

  ------------------
  Mercury Alshboul

• Redundancy in VPN site-to-site connection

  Hi all

  We have a requirement of redundancy between two layout 2900 cisco routers.

  Router 1(1.1.1.1)--------------------------------------------------(3.3.3.3)

  (2.2.2.2)--------------------------------------------------   Router 2

  The scenario is Router 1 we have 2 ISP IE in 2 interfaces, we set up 2 IPs (1.1.1.1 and 2.2.2.2).

  In Router 2, we have only 1 PSI (3.3.3.3)

  Site to site VPN is configured between Router 1 and Router 2 between IPs 1.1.1.1 and 3.3.3.3.Now the requirement is to have 2 ISP in ROUTER1.

  Default route is configured in two individual ISP routers. So, if necessary I can configure a different default route with a higher priority for the secondary link to Router 1.

  So is it possible to set 2 FPS peer in Router 2?

  I had checked on the internet but couldn't find any configuration cisco router (I'm ASA firewall configuration)

  The commands to set two peers I found in internet in ASA East - Crypto outside_map 10 card set counterpart 1.1.12.2.2.2.1 is not supported in my router.

  Can you please help me find the command configure 2 peers in the Router 2.

  Thank you and best regards,

  Rituporna Sama

  Hi Rituporna,

  Yes, you need the key isakmp to the two peers.

  The remotepeer of peer set that appears first in the list will also act as a primary counterpart.

  Kind regards

  Aditya

  Please evaluate the useful messages and mark the correct answers.