Fail Over IPSec Site-to-Site VPN with backup peer on Cisco

ASA
1. Overview:
In this scenario, the corporation has many branches in many places. And at each branch, they
use the firewall Cisco ASA configured failover active-standby. In HQ, they have two small sites
A and B, at each site, they place one firewall Cisco ASA.
To backup for link internet from the Branch site to ISP, we must deploy two links with two
different ISP. Each ISP provides one public IP address.
For each IP address, we set up two Ipsec VPN links from Brach’s firewall to two firewalls at HQ.

Traffic flow from Branch to HQ

Link crypto peer
Interface map primary peer secondary ISP
Primary outside_1 10 HQ-A HQ-B 1
secondary outside_2 10 HQ-A HQ-B 2
Traffic flow from HQ to Branch
link crypto peer
interface map primary peer secondary
Primary HQ-A 10 outside_1 outside_2
secondary HQ-B 10 outside_1 outside_2

Failover case:

Traffic failover case

Case Direction VPN tunnel ISP
HQ to Branch HQ-A to outside_1 1
Normal
Branch to HQ Outside_1 to HQ-A 1
Down to ISP1 HQ to Branch HQ-A to outside_2 2
(Branch side) Branch to HQ outside_2 to HQ-A 2
Down to GW1 HQ to Branch HQ-B to outside_1 1
(HQ side) Branch to HQ outside_1 to HQ-B 1

2. Configuration Task:
- Setup connection, ip address, dhcp, routing ospf on the Firewall and router.
 - Configure failover active-standby between two firewalls BR-AC and BR-SB.
- Setup VPN l2l on Firewall BR-AC with two peer HQ-A and HQ-B for interface outside_1
connect to ISP1.
- Setup VPN l2l on Firewall BR-AC with two peer HQ-A and HQ-B for interface outside_1
connect to ISP2.
- Configure IP SLA tracking ip address gateway ISP1 and the ip address of HQ-A on
Firewall BR-AC.
- Setup VPN l2l on Firewall HQ-A with two peer interface outside_1 and outside_2 of
Firewall BR-AC.
- Setup VPN l2l on Firewall HQ-B with two peer interface outside_1 and outside_2 of
Firewall BR-AC.
- Configure IP SLA tracking ip address gateway ISP and the ip address of interface
outside_1 on Firewall HQ-A, HQ-B.
3. Configuration and Verification:
RTR-BB

ip dhcp excluded-address 10.92.92.254

!
ip dhcp pool LAN
network 10.92.92.0 255.255.255.0
dns-server 8.8.8.8
default-router 10.92.92.254
!
interface GigabitEthernet0/0
ip address 10.92.92.254 255.255.255.0
!
interface GigabitEthernet0/1
ip address 10.92.100.1 255.255.255.0
ip ospf 2 area 0
!
router ospf 2
redistribute connected metric-type 1 subnets
HQ-A

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 172.18.101.2 255.255.255.252
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.92.100.253 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!-----------------Configure routing------------------!
sla monitor 10
type echo protocol ipIcmpEcho 172.18.101.1 interface outside
timeout 1000
 frequency 3
sla monitor schedule 10 life forever start-time now
!
track 10 rtr 10 reachability
route outside 0.0.0.0 0.0.0.0 172.18.101.1 1 track 10
!
router ospf 2
network 10.92.100.0 255.255.255.0 area 0
log-adj-changes
default-information originate metric 10
!
!-----------------Configure VPN Ipsec l2l------------------!
crypto ikev1 enable outside
!
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
tunnel-group 172.19.101.254 type ipsec-l2l
tunnel-group 172.19.101.254 ipsec-attributes
ikev1 pre-shared-key *****
!
tunnel-group 172.19.102.254 type ipsec-l2l
tunnel-group 172.19.102.254 ipsec-attributes
ikev1 pre-shared-key *****
!
object network 10.92.92.0_24
subnet 10.92.92.0 255.255.255.0
object network 10.177.177.0_24
subnet 10.177.177.0 255.255.255.0
!
access-list 100 extended permit ip object 10.92.92.0_24 object 10.177.177.0_24
!
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
crypto map outside_map 10 match address 100
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer 172.19.101.254 172.19.102.254
crypto map outside_map 10 set ikev1 transform-set myset
crypto map outside_map interface outside

!
nat (inside,outside) source static 10.92.92.0_24 10.92.92.0_24 destination static
10.177.177.0_24 10.177.177.0_24 no-proxy-arp route-lookup
!
!-----------------Configure monitor primary peer------------------!
sla monitor 100
type echo protocol ipIcmpEcho 172.19.101.254 interface outside
timeout 1000
 frequency 3
sla monitor schedule 100 life forever start-time now
!
track 100 rtr 100 reachability
route outside 172.19.102.254 255.255.255.255 169.254.255.254 1 track 100

HQ-B

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 172.18.102.2 255.255.255.252
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.92.100.254 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!-----------------Configure routing------------------!
sla monitor 10
type echo protocol ipIcmpEcho 172.18.102.1 interface outside
timeout 1000
frequency 3
sla monitor schedule 10 life forever start-time now
!
track 10 rtr 10 reachability
route outside 0.0.0.0 0.0.0.0 172.18.102.1 1 track 10
!
router ospf 2
network 10.92.100.0 255.255.255.0 area 0
log-adj-changes
default-information originate metric 20
!
!-----------------Configure VPN Ipsec l2l------------------!
crypto ikev1 enable outside
!
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
tunnel-group 172.19.100.254 type ipsec-l2l
tunnel-group 172.19.100.254 ipsec-attributes
ikev1 pre-shared-key *****
!
object network 10.92.92.0_24
subnet 10.92.92.0 255.255.255.0
object network 10.177.177.0_24
subnet 10.177.177.0 255.255.255.0
!
access-list 100 extended permit ip object 10.92.92.0_24 object 10.177.177.0_24
!
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
crypto map outside_map 10 match address 100
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer 172.19.100.254
crypto map outside_map 10 set ikev1 transform-set myset
crypto map outside_map interface outside
!
nat (inside,outside) source static 10.92.92.0_24 10.92.92.0_24 destination static
10.177.177.0_24 10.177.177.0_24 no-proxy-arp route-lookup
!
!-----------------Configure monitor primary peer------------------!
sla monitor 100
type echo protocol ipIcmpEcho 172.19.101.254 interface outside
timeout 1000
frequency 3
sla monitor schedule 100 life forever start-time now
!
track 100 rtr 100 reachability
route outside 172.19.102.254 255.255.255.255 169.254.255.254 1 track 100

BR-AC

!-----------------Configure failover------------------!
interface GigabitEthernet0/0
description LAN/STATE Failover Interface
!
failover
failover lan unit primary
failover lan interface LANFAIL GigabitEthernet0/0
failover key *****
failover link LANFAIL GigabitEthernet0/0
failover interface ip LANFAIL 192.168.1.1 255.255.255.0 standby 192.168.1.2

BR-SB

!-----------------Configure failover firewall------------------!

interface GigabitEthernet0/0
description LAN/STATE Failover Interface
!
failover
failover lan unit secondary
failover lan interface LANFAIL GigabitEthernet0/0
failover key *****
failover link LANFAIL GigabitEthernet0/0
failover interface ip LANFAIL 192.168.1.1 255.255.255.0 standby 192.168.1.2
BR-AC
interface GigabitEthernet0/1
nameif outside_1
security-level 0
ip address 172.19.101.254 255.255.255.0 standby 172.19.101.253
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 10.177.177.254 255.255.255.0 standby 10.177.177.253
!
interface GigabitEthernet0/3
nameif outside_2
security-level 0
ip address 172.19.102.254 255.255.255.0 standby 172.19.102.253
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
dhcpd dns 8.8.8.8
!
dhcpd address 10.177.177.1-10.177.177.100 inside
dhcpd enable inside
!
!-----------------Configure routing------------------!
sla monitor 10
type echo protocol ipIcmpEcho 172.19.101.1 interface outside_1
timeout 1000
frequency 3
sla monitor schedule 10 life forever start-time now
!
track 10 rtr 10 reachability
route outside_1 0.0.0.0 0.0.0.0 172.19.101.1 1 track 10
route outside_2 0.0.0.0 0.0.0.0 172.19.102.1 10
!
!-----------------Configure VPN Ipsec l2l------------------!
crypto ikev1 enable outside_1
crypto ikev1 enable outside_2
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
tunnel-group 172.18.101.2 type ipsec-l2l
tunnel-group 172.18.101.2 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 172.18.102.2 type ipsec-l2l
tunnel-group 172.18.102.2 ipsec-attributes
ikev1 pre-shared-key *****
!
object network 10.177.177.0_24
subnet 10.177.177.0 255.255.255.0
object network 10.92.92.0_24
subnet 10.92.92.0 255.255.255.0
!
access-list 100 extended permit ip object 10.177.177.0_24 object 10.92.92.0_24
!
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
crypto map outside_map_1 10 match address 100
crypto map outside_map_1 10 set pfs
crypto map outside_map_1 10 set peer 172.18.101.2 172.18.102.2
crypto map outside_map_1 10 set ikev1 transform-set myset
crypto map outside_map_1 interface outside_1
!
crypto map outside_map_2 10 match address 100
crypto map outside_map_2 10 set pfs
crypto map outside_map_2 10 set peer 172.18.101.2 172.18.102.2
crypto map outside_map_2 10 set ikev1 transform-set myset
crypto map outside_map_2 interface outside_2
!
nat (inside,outside_1) source static 10.177.177.0_24 10.177.177.0_24 destination static
10.92.92.0_24 10.92.92.0_24 no-proxy-arp route-lookup
nat (inside,outside_2) source static 10.177.177.0_24 10.177.177.0_24 destination static
10.92.92.0_24 10.92.92.0_24 no-proxy-arp route-lookup
!-----------------Configure failover vpn l2l------------------!
sla monitor 101
type echo protocol ipIcmpEcho 172.18.101.2 interface outside_1
timeout 1000
frequency 3
sla monitor schedule 101 life forever start-time now
!
track 101 rtr 101 reachability
route outside_1 172.18.102.2 255.255.255.255 169.254.255.254 1 track 101
!
sla monitor 102
type echo protocol ipIcmpEcho 172.18.101.2 interface outside_2
timeout 1000
frequency 3
sla monitor schedule 102 life forever start-time now
!
track 102 rtr 102 reachability
route outside_2 172.18.102.2 255.255.255.255 169.254.255.254 10 track 102

Verification:
Test case: Normal
PC1> ping 10.177.177.1

84 bytes from 10.177.177.1 icmp_seq=1 ttl=63 time=7.039 ms

84 bytes from 10.177.177.1 icmp_seq=2 ttl=63 time=8.375 ms
84 bytes from 10.177.177.1 icmp_seq=3 ttl=63 time=9.426 ms
84 bytes from 10.177.177.1 icmp_seq=4 ttl=63 time=7.734 ms
84 bytes from 10.177.177.1 icmp_seq=5 ttl=63 time=10.160 ms

PC2> ping 10.92.92.1

84 bytes from 10.92.92.1 icmp_seq=1 ttl=63 time=10.037 ms

84 bytes from 10.92.92.1 icmp_seq=2 ttl=63 time=19.060 ms
84 bytes from 10.92.92.1 icmp_seq=3 ttl=63 time=9.428 ms
84 bytes from 10.92.92.1 icmp_seq=4 ttl=63 time=9.223 ms
84 bytes from 10.92.92.1 icmp_seq=5 ttl=63 time=7.831 ms

BR-AC # show crypto ikev1 sa

1 IKE Peer: 172.18.101.2
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
BR-AC# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 10, local addr: 172.19.100.254

access-list 100 extended permit ip 10.177.177.0 255.255.255.0 10.92.92.0 255.255.255.0

local ident (addr/mask/prot/port): (10.177.177.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.92.92.0/255.255.255.0/0/0)
current_peer: 172.18.101.2
Test case: down link to ISP1( Branch side)
PC2> ping 10.92.92.1

10.92.92.1 icmp_seq=1 timeout

84 bytes from 10.92.92.1 icmp_seq=2 ttl=63 time=14.647 ms
84 bytes from 10.92.92.1 icmp_seq=3 ttl=63 time=8.531 ms
84 bytes from 10.92.92.1 icmp_seq=4 ttl=63 time=7.612 ms
84 bytes from 10.92.92.1 icmp_seq=5 ttl=63 time=7.616 ms

PC1> ping 10.177.177.1

84 bytes from 10.177.177.1 icmp_seq=1 ttl=63 time=7.984 ms

84 bytes from 10.177.177.1 icmp_seq=2 ttl=63 time=9.540 ms
84 bytes from 10.177.177.1 icmp_seq=3 ttl=63 time=7.003 ms
84 bytes from 10.177.177.1 icmp_seq=4 ttl=63 time=7.840 ms
84 bytes from 10.177.177.1 icmp_seq=5 ttl=63 time=7.361 ms
BR-AC# show route

S* 0.0.0.0 0.0.0.0 [10/0] via 172.19.102.1, outside_2

1 IKE Peer: 172.18.101.2

Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
BR-AC# show crypto ipsec sa
interface: outside_2
Crypto map tag: outside_map_2, seq num: 10, local addr: 172.19.102.254

access-list 100 extended permit ip 10.177.177.0 255.255.255.0 10.92.92.0 255.255.255.0

local ident (addr/mask/prot/port): (10.177.177.0/255.255.255.0/0/0)
 remote ident (addr/mask/prot/port): (10.92.92.0/255.255.255.0/0/0)
current_peer: 172.18.101.2
HQ-A# show crypto ikev1 sa

1 IKE Peer: 172.19.102.254

Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
HQ-A# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 10, local addr: 172.18.101.2

access-list 100 extended permit ip 10.92.92.0 255.255.255.0 10.177.177.0 255.255.255.0

local ident (addr/mask/prot/port): (10.92.92.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.177.177.0/255.255.255.0/0/0)
current_peer: 172.19.102.254
Test case: down link to GW1 (HQ side)
PC2> ping 10.92.92.1

84 bytes from 10.92.92.1 icmp_seq=1 ttl=63 time=7.981 ms

84 bytes from 10.92.92.1 icmp_seq=2 ttl=63 time=11.681 ms
84 bytes from 10.92.92.1 icmp_seq=3 ttl=63 time=7.080 ms
84 bytes from 10.92.92.1 icmp_seq=4 ttl=63 time=11.438 ms
84 bytes from 10.92.92.1 icmp_seq=5 ttl=63 time=7.946 ms

PC1> ping 10.177.177.1

84 bytes from 10.177.177.1 icmp_seq=1 ttl=63 time=6.856 ms

84 bytes from 10.177.177.1 icmp_seq=2 ttl=63 time=7.798 ms
84 bytes from 10.177.177.1 icmp_seq=3 ttl=63 time=8.076 ms
84 bytes from 10.177.177.1 icmp_seq=4 ttl=63 time=8.286 ms
84 bytes from 10.177.177.1 icmp_seq=5 ttl=63 time=7.935 ms

BR-AC# show crypto ikev1 sa

1 IKE Peer: 172.18.102.2

Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
BR-AC# show crypto ipsec sa
interface: outside_1
Crypto map tag: outside_map_1, seq num: 10, local addr: 172.19.101.254

access-list 100 extended permit ip 10.177.177.0 255.255.255.0 10.92.92.0 255.255.255.0

local ident (addr/mask/prot/port): (10.177.177.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.92.92.0/255.255.255.0/0/0)
current_peer: 172.18.102.2
HQ-B# show crypto ikev1 sa

1 IKE Peer: 172.19.101.254

Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
HQ-B# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 10, local addr: 172.18.102.2

access-list 100 extended permit ip 10.92.92.0 255.255.255.0 10.177.177.0 255.255.255.0

local ident (addr/mask/prot/port): (10.92.92.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.177.177.0/255.255.255.0/0/0)
current_peer: 172.19.101.254