Improve company productivity with a Business Account.Sign Up

x
?
Solved

Failover Site-to-Sive VPN

Posted on 2010-09-02
8
Medium Priority
?
2,407 Views
Last Modified: 2012-05-10
I have a need to setup a failover VPN. I have two sites that each connect to the same remote site via a site-to-site VPN. The remote site has installed a failover internet connection and would like me to configure a failover VPN on my two sites.

So my two sites are a Cisco ASA 5505 and a SonicWALL TZ200 Wireless. How would I configure automatic failover VPN tunnels on my devices? Remember, I have a single Internet connection and the remote site has two Internet connections. Thanks.
0
Comment
Question by:mthsupport
  • 5
  • 3
8 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 33588715
Of the site that has the two connections, do they have the Cisco or the Sonicwall?
0
 
LVL 33

Expert Comment

by:digitap
ID: 33588756
If it is the sonicwall, then you can specify both public IP addresses in the SA.  Specify the failover in the secondary.  See the link below for a KB articles on this setting.  The articles are a little old, but the concept is still valid.http://www.sonicwall.com/downloads/Using_Secondary_IPSec_Gateway.pdfhttp://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=4974
0
 

Author Comment

by:mthsupport
ID: 33591491
The remote site has a Cisco SA 540 Small Business Appliance.

Thanks for the info digitap. I'll look over that and see what I can do on the SonicWALL.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
LVL 33

Expert Comment

by:digitap
ID: 33591522
And it's the Cisco that has the failover Internet connection?
0
 

Author Comment

by:mthsupport
ID: 33595890
Yes, the Cisco SA 540 at the remote site has teh failover Internet connection. My two sites that connect to the remote site with SA have a SonicWALL TZ200W and a Cisco ASA 5505.

Remote site with Failover Internet
FW: Cisco SA 540
Internet connection 1 (primary)
Internet connection 2 (failover)

My site 1
FW: Cisco ASA 5505
Internet connection 1
VPN Tunnel 1 Primary
VPN Tunnel 2 Failover

My Site 2
FW: SonicWALL TZ200W
Internet connection 1
VPN tunnel 1 primary
VPN Tunnel 2 failover

How do I setup the failover VPN on my sites? The article for the SonicWALL you provided looks promising. But still nothing on the ASA.
0
 
LVL 33

Accepted Solution

by:
digitap earned 2000 total points
ID: 33596234
My experience with Cisco is minimal.  However, on the sonicwall, you want to put the public IP address of the Primary internet into the IPSec Primary Gateway field and the public IP address of the failover internet into the IPSec Secondary Gateway field.  There's not much needed on the Sonicwall.  When the primary fails, then the Sonicwall will try the secondary IP address.

Now, from your configuration, it looks like you have the primary and failover connect to BOTH Cisco routers, correct?  Are the two Cisco routers in a hardware failover configuration?
0
 

Author Comment

by:mthsupport
ID: 33626826
Here is how it is done on the ASA. And just like the SonicWALL the only way to failback over to the primary peer (gateway) is for the secondary peer (gateway) to fail. If the secondary peer never goes offline when the primary comes back online neither the ASA nor the SonicWALL will automatically failover to the primary peer (gateway).

1. Configure LAN to LAN normally. On remote end (with one ISP link) configure two peer IP address in same crypto map and specify pre-shared-key with both of peer’s IP.
2. Deed Peer detection is required (which is turned on ASA by default, on routers, you would need to enable it manually)
The attributes remain same and tunnel should come up fine with secondary incase VPN on primary goes down.


Digitap: Thanks for the guidance on the SonicWALL. You'll get all the points.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33627008
Thanks for the points!  Also, thanks for posting back a great description to your final solution!
0

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question