Redundant Hub and Spoke IPsec VPN Configuration

Unanswered Question
Jul 30th, 2010

I would like to encrypt traffic between a central hub and remote sites.  Each location has redundant routers where we use VRRP for redundancy.

Here's the config:

         ------------------------             ------------------------

        |ASR 1002                |           |ASR 1002                |

        |hostname: router100a    |           |hostname: router100b    |

        |interface Gi0/0/0       |   Hub     |interface Gi0/0/0       |

        | ip address 10.0.0.1/24 |   Site    | ip address 10.0.0.2/24 |

        | vrrp ip 10.0.0.254/24  |           | vrrp ip 10.0.0.254/24  |

         --------------------|---             ---|--------------------

                             |                   |

         --------------------|-------------------|-------------------------

        |                                                                  |

         ------------|----|-----------|-|-------------------------|----|---

                     |     \          | |                         |     \

         Site #1     |      \         | |        Site #3          |      \

--------------------|---    \        | |     --------------------|---    \

|Cisco 3845              |    |       | |    |Cisco 3845              |    |

|hostname: router101a    |    |       | |    |hostname: router103a    |    |

|interface Gi0/0/0       |    |       | |    |interface Gi0/0/0       |    |

| ip address 10.0.1.1/24 |    |       | |    | ip address 10.0.3.1/24 |    |

| vrrp ip 10.0.1.254/24  |    |       | |    | vrrp ip 10.0.3.254/24  |    |

------------------------     |       | |     ------------------------     |

          --------------------|---    | |              --------------------|---

         |Cisco 3845              |   | |             |Cisco 3845              |

         |hostname: router101b    |   | |             |hostname: router103b    |

         |interface Gi0/0/0       |   | |             |interface Gi0/0/0       |

         | ip address 10.0.1.2/24 |   |  \            | ip address 10.0.3.2/24 |

         | vrrp ip 10.0.1.254/24  |   |   \           | vrrp ip 10.0.3.254/24  |

          ------------------------    |    \           ------------------------

                                      |     \

                     Site #2          |      \

                  --------------------|---    \

                 |Cisco 3845              |    |

                 |hostname: router102a    |    |

                 |interface Gi0/0/0       |    |

                 | ip address 10.0.2.1/24 |    |

                 | vrrp ip 10.0.2.254/24  |    |

                  ------------------------     |

                           --------------------|---

                          |Cisco 3845              |

                          |hostname: router102b    |

                          |interface Gi0/0/0       |

                          | ip address 10.0.2.2/24 |

                          | vrrp ip 10.0.2.254/24  |

                           ------------------------

As I looked into implementing IPsec VPNs on the ASR 1002 units at the hub, it appears that I need to create a logical interface for each remote site since only one "cryto map" statement is allowed per interface.  Is this the case?

Currently we have VRRP configured on the physical interface.  If logical interfaces are required at the hub, do we need to configure VRRP on each logical interface as well?

Some other questions:

  • Are there any examples of configuring IPsec tunnels with redundancy provided via VRRP?
  • Do the tunnel end-points fail over well or will there need to be a phase 1/phase 2 negotiation again?
  • Are there any better options?

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
manish arora Fri, 07/30/2010 - 17:32

I have no answer to your questions but i want to be on this mailling list, as i have a similar project coming up so i can also see what the Experts comment on it.

Manish

cciesec2011 Fri, 07/30/2010 - 17:33

Are you doing this over the Internet or over an MPLS network?

If you're going to do it over the Internet, DMVPN with getVPN is the way to go since all of your equipments are cisco,

If you're going to do it over an MPLS network, then getVPN is good enough.

bhunsaker_2 Sat, 07/31/2010 - 18:37

cciesec2011 wrote:

Are you doing this over the Internet or over an MPLS network?

If you're going to do it over the Internet, DMVPN with getVPN is the way to go since all of your equipments are cisco,

If you're going to do it over an MPLS network, then getVPN is good enough.

My particular case is a campus network where we have run single-mode fiber between buildings,

So no Internet, no MPLS, just simple old fashioned static routes on a private network.

I was not aware of DMVPN so I will look at this.  On the other hand, I was hoping to just define static routes and avoid the use of EIGRP or OSPF.

Thanks.

P.S.  My ASCII network layout looks awful although I thought I had specified a fixed-width font.  Anyone who is interested should just paste the diagram into an ASCII editor to see it better.

Rahul Govindan Sun, 08/01/2010 - 05:25

If its an internal network, you can use GETVPN to set up Ipsec between the branches. This will use native routing( for your case static routes).

The deployment guide is given below:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/deployment_guide_c07_554713.html

Please check the supported platforms for Key server( device that pushes ipsec policies to members) and Group members( devices actually taking part in encryption domain) as I believe Key server is not supported on an ASR.

bhunsaker_2 Mon, 08/02/2010 - 08:58

rahgovin wrote:

Please check the supported platforms for Key server( device that pushes ipsec policies to members) and Group members( devices actually taking part in encryption domain) as I believe Key server is not supported on an ASR.

Thanks for suggesting GETVPN.  There is a lot to like about it but, as you noted, the ASR 1000 series isn't a supported key server.  I don't have any other devices at the hub to take on this role.  Would it make sense to buy a pair of cheap 870s and configure them as cooperative (redundant) key servers?  In this case could the GETVPN be configured to route everything through the much more powerful ASR 1002s leaving the 870s to do nothing by rekey and hand out policies?

I thought that maybe the 3845s at the "spoke" end-points could be key servers, but a key server can't be a group member.  I don't understand why a key server can't be a group member as well.

Rahul Govindan Mon, 08/02/2010 - 09:07

yes you can have other routers doing the actual key server role as you rightly pointed out, they only have to hand out policies and rekey. The only ting is they have to support Key server functionality. The ASR can be used as the group-member.

And I believe right now they don't have the functionality for keysever and group-member in the same IOS, but I believe it might turn up soon on newer codes. But just to let you know, it is on the roadmap

Actions

This Discussion

Related Content