Yeah, in the CCIE lab we could make it work...but for a real world deployment I'm afraid this is just too much of a pain in the butt to be realistic. Thanks for the suggestions and time, but I think I will be sticking with VTI --> VTI on IOS based routers for the time being.
On Tue, May 15, 2012 at 10:37 AM, Piotr Matusiak <[email protected]> wrote: > Joe, > > ASA does not support dynamic routing over the IPSec tunnel due to IPSec > itself does not support mcast traffic. What about using unicast-based > routing protocol like OSPF (neighbor command)? That would do the trick I > belive. > > > Regards, > Piotr > > > -----Original Message----- From: Joe Astorino > Sent: Tuesday, May 15, 2012 4:34 PM > > To: Piotr Matusiak > Cc: [email protected] > Subject: Re: [OSL | CCIE_Security] DPD preemption? > > I'm sure I am misunderstanding you, because as you know the ASA cannot > do dynamic routing over IPSEC due to it's lack of support for GRE or > VTI and thus multicast. So with that being said, what do you mean by > dynamic routing? > > Thanks for your thoughts gents > > On Tue, May 15, 2012 at 12:38 AM, Piotr Matusiak <[email protected]> wrote: >> >> One more thought. What about setting up two crypto-map-based tunnels with >> dynamic routing on it preferring the nearest site? >> >> >> Regards, >> Piotr >> >> -----Original Message----- From: Joe Astorino >> Sent: Monday, May 14, 2012 11:55 PM >> To: Piotr Matusiak >> >> Cc: [email protected] >> Subject: Re: [OSL | CCIE_Security] DPD preemption? >> >> Sounds like the best option is to continue to use VTI with routers at >> remote sites terminating to routers at the head end. A shame the ASA >> is not a bit more versatile in it's capabilities : ( >> >> >> On Mon, May 14, 2012 at 4:47 PM, Piotr Matusiak <[email protected]> wrote: >>> >>> >>> Hi Joe, >>> >>> EEM is the option for you. I don't recall any other option now. >>> >>> Regards, >>> Piotr >>> >>> -----Original Message----- From: Joe Astorino >>> Sent: Monday, May 14, 2012 9:02 PM >>> To: Mohamed Gazzaz >>> Cc: [email protected] >>> Subject: Re: [OSL | CCIE_Security] DPD preemption? >>> >>> >>> I appreciate that, but I have indeed read all those papers. HSRP and >>> SSO do not help me because the primary ASA is in Michigan and the >>> secondary ASA is in London, UK. >>> >>> The goals is to have a remote site router closer to the US have a >>> primary IPSEC connection to the Michigan ASA and a backup IPSEC >>> connection to the London ASA, while a site closer to Europe would be >>> the opposite. The remote site routers have only a single internet >>> connection. Today it works because instead of an ASA at the head ends >>> I have IOS routers with VTI interfaces, and thus I run BGP which takes >>> care of things. I am looking for a simpler design and to utilize the >>> ASAs instead. >>> >>> On Mon, May 14, 2012 at 2:24 PM, Mohamed Gazzaz <[email protected]> >>> wrote: >>>> >>>> >>>> >>>> Hi Joe, >>>> >>>> >>>> Please have a look at the following links (They might give you an idea) >>>> >>>> >>>> >>>> >>>> >>>> >>>> http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/white_paper_c11_472859.html >>>> >>>> >>>> >>>> >>>> >>>> https://supportforums.cisco.com/community/netpro/security/vpn/blog/2011/04/25/ipsec-vpn-redundancy-failover-over-redundant-isp-links >>>> >>>> >>>> http://blog.ine.com/2008/11/06/ipsec-vpn-high-availability-with-hsrp/ >>>> >>>> >>>> Regards, >>>> Mohamed Gazzaz >>>> >>>>> Date: Mon, 14 May 2012 12:57:56 -0400 >>>>> From: [email protected] >>>>> To: [email protected] >>>>> Subject: [OSL | CCIE_Security] DPD preemption? >>>> >>>> >>>> >>>> >>>>> >>>>> Hello, >>>>> >>>>> I am working on a design trying to accomplish the following: I have >>>>> two ASA's that need to terminate L2L IPSEC tunnels to some remote >>>>> sites but they are in different regions of the world. The idea is >>>>> that a remote site will have a tunnel to the ASA closest to the site, >>>>> and a backup tunnel to the other. I believe I can accomplish this by >>>>> having a crypto map on the remote router with two "set peer" commands >>>>> on the same crypto map line. It looks like dead peer detection will >>>>> detect if the primary link goes down and failover to the secondary, >>>>> but I don't see a way to make it recover after the primary comes back >>>>> up. Is there a way to accomplish that? >>>>> >>>>> I would want it to fail back over to the primary because the primary >>>>> will be geographically closer and yield better response times. >>>>> >>>>> Is there a better way to do something like this? >>>>> >>>>> -- >>>>> Regards, >>>>> >>>>> Joe Astorino >>>>> CCIE #24347 >>>>> http://astorinonetworks.com >>>>> >>>>> "He not busy being born is busy dying" - Dylan >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please >>>>> visit www.ipexpert.com >>>>> >>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>> www.PlatinumPlacement.com >>> >>> >>> >>> >>> >>> >>> -- >>> Regards, >>> >>> Joe Astorino >>> CCIE #24347 >>> http://astorinonetworks.com >>> >>> "He not busy being born is busy dying" - Dylan >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >> >> >> >> >> >> -- >> Regards, >> >> Joe Astorino >> CCIE #24347 >> http://astorinonetworks.com >> >> "He not busy being born is busy dying" - Dylan > > > > > -- > Regards, > > Joe Astorino > CCIE #24347 > http://astorinonetworks.com > > "He not busy being born is busy dying" - Dylan -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
