Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2330
  • Last Modified:

Failover Site-to-Sive VPN

I have a need to setup a failover VPN. I have two sites that each connect to the same remote site via a site-to-site VPN. The remote site has installed a failover internet connection and would like me to configure a failover VPN on my two sites.

So my two sites are a Cisco ASA 5505 and a SonicWALL TZ200 Wireless. How would I configure automatic failover VPN tunnels on my devices? Remember, I have a single Internet connection and the remote site has two Internet connections. Thanks.
0
mthsupport
Asked:
mthsupport
  • 5
  • 3
1 Solution
 
digitapCommented:
Of the site that has the two connections, do they have the Cisco or the Sonicwall?
0
 
digitapCommented:
If it is the sonicwall, then you can specify both public IP addresses in the SA.  Specify the failover in the secondary.  See the link below for a KB articles on this setting.  The articles are a little old, but the concept is still valid.http://www.sonicwall.com/downloads/Using_Secondary_IPSec_Gateway.pdfhttp://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=4974
0
 
mthsupportAuthor Commented:
The remote site has a Cisco SA 540 Small Business Appliance.

Thanks for the info digitap. I'll look over that and see what I can do on the SonicWALL.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
digitapCommented:
And it's the Cisco that has the failover Internet connection?
0
 
mthsupportAuthor Commented:
Yes, the Cisco SA 540 at the remote site has teh failover Internet connection. My two sites that connect to the remote site with SA have a SonicWALL TZ200W and a Cisco ASA 5505.

Remote site with Failover Internet
FW: Cisco SA 540
Internet connection 1 (primary)
Internet connection 2 (failover)

My site 1
FW: Cisco ASA 5505
Internet connection 1
VPN Tunnel 1 Primary
VPN Tunnel 2 Failover

My Site 2
FW: SonicWALL TZ200W
Internet connection 1
VPN tunnel 1 primary
VPN Tunnel 2 failover

How do I setup the failover VPN on my sites? The article for the SonicWALL you provided looks promising. But still nothing on the ASA.
0
 
digitapCommented:
My experience with Cisco is minimal.  However, on the sonicwall, you want to put the public IP address of the Primary internet into the IPSec Primary Gateway field and the public IP address of the failover internet into the IPSec Secondary Gateway field.  There's not much needed on the Sonicwall.  When the primary fails, then the Sonicwall will try the secondary IP address.

Now, from your configuration, it looks like you have the primary and failover connect to BOTH Cisco routers, correct?  Are the two Cisco routers in a hardware failover configuration?
0
 
mthsupportAuthor Commented:
Here is how it is done on the ASA. And just like the SonicWALL the only way to failback over to the primary peer (gateway) is for the secondary peer (gateway) to fail. If the secondary peer never goes offline when the primary comes back online neither the ASA nor the SonicWALL will automatically failover to the primary peer (gateway).

1. Configure LAN to LAN normally. On remote end (with one ISP link) configure two peer IP address in same crypto map and specify pre-shared-key with both of peer’s IP.
2. Deed Peer detection is required (which is turned on ASA by default, on routers, you would need to enable it manually)
The attributes remain same and tunnel should come up fine with secondary incase VPN on primary goes down.


Digitap: Thanks for the guidance on the SonicWALL. You'll get all the points.
0
 
digitapCommented:
Thanks for the points!  Also, thanks for posting back a great description to your final solution!
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now