Possible failover scenarios for VPNs over primary/secondary peers

Unanswered Question
Sep 15th, 2010
User Badges:

Hi,


We have a few clients that we establish VPNs with. The ones that use Juniper routers for VPNs want to establish a failover configuration where our VPN would dynamically route over a VPN to their secondary peer address. Their secondary peer address is on their own backup internet circuit.


They have no problem with making the failover dynamic on their side.


We have to manually change a static route to point to their secondary peer address as the gateway for their internal network before the traffic takes the secondary path. Since this client is on the other side of the world, this involves waking the oncall engineer in the middle of the night which is inherently a kludgey process.


Here's our config. I'm open to suggestions. These IP's are fictitious of course and we proxy route the public IP thru the internet firewall to enable the public loopback. Inside and outside VPN router interfaces are privately addressed.


The routes we have to change to route to their secondary peer would be these statics:

no ip route 192.168.1.0 255.255.255.0 a.a.a.a

ip route 192.168.1.0 255.255.255.0 b.b.b.b


10.1.x.0 and 10.1.y.0 are our local networks.


~~~~~

crypto map CryptoMap local-address Loopback0

crypto map CryptoMap 180 ipsec-isakmp

description VPN to client - both peers required!!!

set peer a.a.a.a

set peer b.b.b.b

set security-association lifetime kilobytes 4096

set transform-set Transform

set pfs group2

match address Client-networks

interface Loopback0

ip address 11.11.11.11 255.255.255.0

crypto map CryptoMap

ip route 192.168.1.0 255.255.255.0 a.a.a.a

ip route a.a.a.a 255.255.255.0 [firewall]

ip route b.b.b.b 255.255.255.0 [firewall]

ip access-list extended Client-networks

permit ip 10.1.x.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 10.1.y.0 0.0.0.255 192.168.1.0 0.0.0.255

~~~~~

Thanks,

Carl King

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Yudong Wu Wed, 09/15/2010 - 09:26
User Badges:
  • Gold, 750 points or more

You can use SLA feature on ASA.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/qr.html#wp1793355


Here is the example from the above link.


The following example uses an SLA operation to install a default route  to the 10.1.1.1 gateway on the outside interface. The SLA operation  monitors the availability of that gateway.If the SLA operation fails,  then the backup route on the dmz interface is used.

hostname(config)# sla monitor 123
hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outside 
hostname(config-sla-monitor-echo)# timeout 1000
hostname(config-sla-monitor-echo)# frequency 3
hostname(config)# sla monitor schedule 123 life forever start-time now
hostname(config)# track 1 rtr 123 reachability
hostname(config)# route outside 0.0.0.0 0.0.0.0 10.1.1.1 track 1
hostname(config)# route dmz 0.0.0.0 0.0.0.0 10.2.1.1 254

Carl King Wed, 09/15/2010 - 11:13
User Badges:

I like that feature Yudong. Wish we had an ASA.


I've got a pair of Cisco 2851's.

Carl King Wed, 09/15/2010 - 11:46
User Badges:

Ah. Good. Thanks for pointing it out. I found it now.


VPN02(config)#ip sla monitor ?
  <1-2147483647>          Entry Number
  apm                     IP SLA Monitor APM Configuration
  group                   Group configuration or Group scheduling
  key-chain               Use MD5 authentication for IP SLA Monitor control
                          message
  logging                 Enable logging
  low-memory              Configure low water memory mark
  reaction-configuration  IP SLA Monitor Reaction Configuration
  reaction-trigger        IP SLA Monitor trigger assignment
  reset                   IP SLA Monitor Reset
  responder               Enable IP SLA Monitor Responder
  restart                 Restart an active entry
  schedule                IP SLA Monitor Entry Scheduling
  slm                     Service Level Management

Yudong Wu Wed, 09/15/2010 - 11:41
User Badges:
  • Gold, 750 points or more

Did you see the link which I posted is for ASA not router?

Carl King Wed, 09/15/2010 - 11:48
User Badges:

Yes, I am just not familiar with the ASA and assumed the feature was platform specific.

I see now that it works on IOS.


I think I can make this work for this client.


Thanks.


Carl

Actions

This Discussion

Related Content