IPsec VPN terminated on ASA using Dual ISP for redundancy


INITIAL CONFIGURATION

R1

int f0/0

ip address 10.1.1.1 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 10.1.1.10


R2

int f0/0

ip address 10.1.2.1 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 10.1.2.10


Internet

int f0/0

ip address 1.1.1.5 255.255.255.0

no shut

int f0/1

ip address 1.1.2.5 255.255.255.0

no shut

int f1/0

ip address 2.1.1.5 255.255.255.0

no shut


ASA1

interface Ethernet0/0

   nameif primary

   security-level 0

   ip address 1.1.1.10 255.255.255.0

   no shut

!

interface Ethernet0/1

   nameif secondary

   security-level 0

   ip address 1.1.2.10 255.255.255.0

   no shut

!

interface Ethernet0/2

   nameif inside

   security-level 100

   ip address 10.1.1.10 255.255.255.0

   no shut

!

route primary 0.0.0.0 0.0.0.0 1.1.1.5 1 track 1

route secondary 0.0.0.0 0.0.0.0 1.1.2.5 254


ASA2

interface Ethernet0/0

   nameif outside

   security-level 0

   ip address 2.1.1.10 255.255.255.0

   no shut

!

interface Ethernet0/1

   nameif inside

   security-level 100

   ip address 10.1.2.10 255.255.255.0

   no shut

!

route outside 0.0.0.0 0.0.0.0 2.1.1.5


TRACKING THE ROUTE

ASa1

sla monitor 123

type echo protocol ipIcmpEcho 2.1.1.5 interface primary

num-packets 1

frequency 5

!

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability


IPSEC CONFIGURATION

ASa1

access-list 101 permit ip host 10.1.1.1 host 10.1.2.1

crypto isakmp policy 10

encryption 3des

group 2

hash md5

auth pre

!

tunnel-group 2.1.1.10 type ipsec-l2l

tunnel-group 2.1.1.10 ipsec-attributes

pre-shared-key cisco123

!

crypto ipsec transform-set TSET esp-des esp-md5-hmac

crypto map CMAP 10 set peer 2.1.1.10

crypto map CMAP 10 set transform-set TSET

crypto map CMAP 10 match address 101

crypto isakmp enable primary

crypto isakmp enable secondary

crypto map CMAP interface primary

crypto map CMAP interface secondary                                                                                                                                      



ASA2

access-list 101 permit ip host 10.1.2.1 host 10.1.1.1

crypto isakmp policy 10

encryption 3des

group 2

hash md5

auth pre

!

tunnel-group 1.1.1.10 type ipsec-l2l

tunnel-group 1.1.1.10 ipsec-attributes

pre-shared-key cisco123

!

tunnel-group 1.1.2.10 type ipsec-l2l

tunnel-group 1.1.2.10 ipsec-attributes

pre-shared-key cisco123

!

crypto ipsec transform-set TSET esp-des esp-md5-hmac

crypto map CMAP 10 set peer 1.1.1.10 1.1.2.10

crypto map CMAP 10 set transform-set TSET

crypto map CMAP 10 match address 101

crypto isakmp enable outside

crypto map CMAP interface outside