Скачать или смотреть Build IKEv2 Site-to-Site VPN on Cisco ASAv with Failover

This video demonstrates the complete implementation of a Cisco ASAv Active/Standby Failover topology combined with an IKEv2 Site-to-Site IPsec VPN tunnel in a eve-ng lab environment. The objective is to establish secure and resilient connectivity between two geographically separated networks while maintaining high availability at the firewall layer. End-to-end communication is verified between VPC1 (192.168.1.10) at the local site and VPC2 (172.16.10.20) at the remote site through an encrypted VPN tunnel.

The topology consists of a local site, an ISP/WAN segment, and a remote site. The local site includes VPC1, a vIOS router, a hardened Layer-2 switch, and an ASAv firewall pair configured in Active/Standby failover mode. The remote site includes an ASAv firewall and VPC2, while the WAN connectivity is provided using an ISP router and switch. Two dedicated direct links are used between the ASAv firewalls: a Failover link (20.0.0.0/24) for health monitoring and role negotiation, and a Stateful link (10.0.0.0/24) for synchronizing connection states, NAT tables, and VPN security associations.

The lab begins with IP addressing on end devices and routers, followed by routing configuration using a combination of static default routes and OSPF. An IKEv2-based Site-to-Site VPN is then configured on both ASAv firewalls using strong cryptographic parameters including AES-256 encryption, SHA-256 integrity, Diffie-Hellman Group 14, and pre-shared key authentication. Interesting traffic is defined using access-lists, NAT exemption is applied for VPN traffic, and crypto maps are bound to the outside interfaces.

To enhance security at Layer-2, the switch connecting the internal network is hardened using industry best practices such as PVST with system-ID extension, loop guard, DHCP snooping, BPDU Guard, PortFast edge on access ports, MAC address port-security, and shutdown of unused interfaces. Management services such as HTTP, HTTPS, and DNS lookup are disabled to reduce the attack surface.

The video also addresses a common real-world issue encountered during ASA high availability deployment, where failover remains in a failed or negotiation state due to inactive failover interfaces. The issue is resolved by explicitly enabling the Failover and Stateful interfaces on both ASAv units, after which configuration synchronization occurs automatically and the failover state transitions to Active/Standby Ready. Successful state replication and VPN continuity are verified using show failover, show crypto ikev2 sa, and packet-tracer commands.

The final verification confirms uninterrupted encrypted connectivity between both sites, including successful ICMP traffic across the VPN tunnel even after failover stabilization. This lab serves as a practical reference for enterprise firewall deployment, VPN configuration, failover troubleshooting, and secure network design using Cisco ASAv.