09-15-2010 09:01 AM
Hi,
We have a few clients that we establish VPNs with. The ones that use Juniper routers for VPNs want to establish a failover configuration where our VPN would dynamically route over a VPN to their secondary peer address. Their secondary peer address is on their own backup internet circuit.
They have no problem with making the failover dynamic on their side.
We have to manually change a static route to point to their secondary peer address as the gateway for their internal network before the traffic takes the secondary path. Since this client is on the other side of the world, this involves waking the oncall engineer in the middle of the night which is inherently a kludgey process.
Here's our config. I'm open to suggestions. These IP's are fictitious of course and we proxy route the public IP thru the internet firewall to enable the public loopback. Inside and outside VPN router interfaces are privately addressed.
The routes we have to change to route to their secondary peer would be these statics:
no ip route 192.168.1.0 255.255.255.0 a.a.a.a
ip route 192.168.1.0 255.255.255.0 b.b.b.b
10.1.x.0 and 10.1.y.0 are our local networks.
~~~~~crypto map CryptoMap local-address Loopback0
crypto map CryptoMap 180 ipsec-isakmp
description VPN to client - both peers required!!!
set peer a.a.a.a
set peer b.b.b.b
set security-association lifetime kilobytes 4096
set transform-set Transform
set pfs group2
match address Client-networks
interface Loopback0
ip address 11.11.11.11 255.255.255.0
crypto map CryptoMap
ip route 192.168.1.0 255.255.255.0 a.a.a.a
ip route a.a.a.a 255.255.255.0 [firewall]
ip route b.b.b.b 255.255.255.0 [firewall]
ip access-list extended Client-networks
permit ip 10.1.x.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 10.1.y.0 0.0.0.255 192.168.1.0 0.0.0.255
~~~~~
Thanks,
Carl King
09-15-2010 09:26 AM
You can use SLA feature on ASA.
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/qr.html#wp1793355
Here is the example from the above link.
The following example uses an SLA operation to install a default route to the 10.1.1.1 gateway on the outside interface. The SLA operation monitors the availability of that gateway.If the SLA operation fails, then the backup route on the dmz interface is used.
hostname(config)# sla monitor 123
hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outside
hostname(config-sla-monitor-echo)# timeout 1000
hostname(config-sla-monitor-echo)# frequency 3
hostname(config)# sla monitor schedule 123 life forever start-time now
hostname(config)# track 1 rtr 123 reachability
hostname(config)# route outside 0.0.0.0 0.0.0.0 10.1.1.1 track 1
hostname(config)# route dmz 0.0.0.0 0.0.0.0 10.2.1.1 254
09-15-2010 11:13 AM
I like that feature Yudong. Wish we had an ASA.
I've got a pair of Cisco 2851's.
09-15-2010 11:34 AM
Carl,
SLA was adapted to ASA from IOS ;-)
BB_967(config)#ip route 0.0.0.0 0.0.0.0 1.2.3.4 track ?
<1-500> tracked object number
http://www.cisco.com/en/US/docs/ios/12_4/ip_sla/configuration/guide/hspaecho.html#wp1027265
HTH,
Marcin
edit: added link
09-15-2010 11:46 AM
Ah. Good. Thanks for pointing it out. I found it now.
VPN02(config)#ip sla monitor ?
<1-2147483647> Entry Number
apm IP SLA Monitor APM Configuration
group Group configuration or Group scheduling
key-chain Use MD5 authentication for IP SLA Monitor control
message
logging Enable logging
low-memory Configure low water memory mark
reaction-configuration IP SLA Monitor Reaction Configuration
reaction-trigger IP SLA Monitor trigger assignment
reset IP SLA Monitor Reset
responder Enable IP SLA Monitor Responder
restart Restart an active entry
schedule IP SLA Monitor Entry Scheduling
slm Service Level Management
09-15-2010 11:41 AM
Did you see the link which I posted is for ASA not router?
09-15-2010 11:48 AM
Yes, I am just not familiar with the ASA and assumed the feature was platform specific.
I see now that it works on IOS.
I think I can make this work for this client.
Thanks.
Carl
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: