How to setup backup VPN between two universities?

Answered Question
Sep 30th, 2010

Hello, i'm student from Greece and  i have a graduation project to  setup Backup VPN between two  universities. Primary communication  accomplished with Leased Lines. I  have study a lot, but now that is the  time for implementation i have  some considerations:

- What hardware and Software IOS do i need ? cisco 1841 it's ok for A-D Routers?

- Use IPsec Tunnel mode or IPSec GRE transport mode ?

-   What will be the failover mechanism switching the traffic from Leased   Line to IP Backup VPN and oposite? One professor told me something  about  Interface Prioritys. I have read somewhere this is done with  routing  protocol such as EIGRP. who is right the professor or the book?  :-D

- At one site they have Firewall and NAT, i need to do any actions for that?

The attach file contains the topology that I want to implement

Site 1 "my" spoke

Site 2 Central Site

E   communicates with A but no traffic goes to A from E with normal   circumstances. Subnet on E get Internet access through F and then D.    VPN will setup over DSL but only traffic from specific E source will  get  through the Backdoor VPN ( i believe the solution to this is ACLs  on  router A). They have no routing protocol on "my" site A , only  Directly  connected routers and default routes.

how to imlement this?

I think that the first thing should i do is A to D connectivity

i' ll try to make this to packet tracer first, but how can ' i emulate the SP network?

I will need any help i can get !!

Attachment: 
I have this problem too.
0 votes
Correct Answer by apsanghi about 6 years 2 months ago

Hi John,

Yup, you have got both the points correctly.

For point 1, 254 is the metric of the route. We specify a higer metric here because if both the routes have the same metric then E will start load balancing between the two routes and we want E to use the default route to A only as a backup. So, we specify the metric so that the default route to A is used only when the main default route (default route to F) goes down.

I have attached a doc with the same example. I hope that helps.

Regards,

Apaar

Correct Answer by apsanghi about 6 years 2 months ago

Hi John,

In our scenario, since our primary connection is a direct leased line between E and F, so I am assuming that there is no other network between the two routers. In this case we wont have to configure SLA monitoring or any interface priority. We can just enter two default routes:

ip route

ip route 254

In this scenario, if the leased line interface goes down, the second default route kicks in and the traffic would be routed through router A.

SLA monitoring monitors connection (using ping tests) through one of the interfaces on the router and when we are not able to ping some server (specified in the SLA configuration) through the interface, then we change the default route to route the traffic through some another interface.

So, in your scenario, we can monitor the link between E and F, and when the link goes down we can change the default route to point to A.

This is useful in the scenario when we have another ISP connection as our primary connection.

Here is a link on how to configure SLA monitoring on the router:

http://www.cisco.com/en/US/docs/ios/12_4/ip_sla/configuration/guide/hsicmp.html

After configuring SLA monitoring using the above link you can link it to the default route using the following route command:

ip route track      // main default route

ip route 255     // default route with a higer metric which kicks in when the main default route goes down

Also, the configuration example which you have give in the doc is almost correct, just that the transform set is missing a hash algorithm. Here is a link with an example for a lan-to-lan tunnel between two routers:

http://www.cisco.com/en/US/partner/products/hw/routers/ps221/products_configuration_example09186a008073e078.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
apsanghi Thu, 09/30/2010 - 06:19

Hi John,

From your problem description I understand that you have a primary leased line between the two sites (E and F) and you want the vpn tunnel (between B and C) as the backup i.e. traffic should pass from site 1 to site 2 through the vpn tunnel only if the primary (leased line) link is down. The default gateway at site 1 is E, and when the leased line is down, E should route the traffic to A which should then be sent through the vpn tunnel to C.

-- You can use either IPSec tunnel mode or GRE transport mode, the advantage of GRE would be that you would be able to run a routing protocol between the two sites. However since you mentioned that you are using only static routes so a normal IPSec tunnel would do.

--  We usually use default routes to route traffic to the remote end or the internet. So, in case your primary default route is through the leased lines (on router E)  then you can configure SLA monitoring on router E to route traffic to router A (this is assuming that the PC's at the site 1 have router E as their default gateway). Similarly we might have to do SLA monitoring on router F as well depending upon the routing at site 2.

-- If you have configured Firewall and NAT on any routers through A to D then you will have to allow the traffic through that firewall using the mpf/access-lists configured.

-- To allow only certain traffic to go through the vpn tunnel from site 1 to site 2, the simplest way would be to use access-lists on router A or router C and block the unwanted traffic

ioanniatr Thu, 09/30/2010 - 07:06

Actualy routers B and C is SP-Routers and it's inside the cloud, so Tunnel will be between A-D. Thats correct subnets have E for Default gateway and will use the Tunnel through A-D in case of failover. Router A also has subnets  (students network) but that traffic will not pass through Tunnel.

ACLs will select traffic through the Tunnel, and also permit certain Traffic from it(passing firewall and NAT), ok I understand this.

So i wil setup IPSec Tunnel at A-D routers(with no Routing protocol), but i didn't get that thing with SLAs, How can i  config this ? Is there any way to setup interface prioritys at E and F? Can I use Admin Distance as the failover mechanism ?

For IPSec i will setup pre-shaed keys. I must config IPSec and IKE as follows at the example of the picture, right  ?

Attachment: 
Correct Answer
apsanghi Thu, 09/30/2010 - 19:04

Hi John,

In our scenario, since our primary connection is a direct leased line between E and F, so I am assuming that there is no other network between the two routers. In this case we wont have to configure SLA monitoring or any interface priority. We can just enter two default routes:

ip route

ip route 254

In this scenario, if the leased line interface goes down, the second default route kicks in and the traffic would be routed through router A.

SLA monitoring monitors connection (using ping tests) through one of the interfaces on the router and when we are not able to ping some server (specified in the SLA configuration) through the interface, then we change the default route to route the traffic through some another interface.

So, in your scenario, we can monitor the link between E and F, and when the link goes down we can change the default route to point to A.

This is useful in the scenario when we have another ISP connection as our primary connection.

Here is a link on how to configure SLA monitoring on the router:

http://www.cisco.com/en/US/docs/ios/12_4/ip_sla/configuration/guide/hsicmp.html

After configuring SLA monitoring using the above link you can link it to the default route using the following route command:

ip route track      // main default route

ip route 255     // default route with a higer metric which kicks in when the main default route goes down

Also, the configuration example which you have give in the doc is almost correct, just that the transform set is missing a hash algorithm. Here is a link with an example for a lan-to-lan tunnel between two routers:

http://www.cisco.com/en/US/partner/products/hw/routers/ps221/products_configuration_example09186a008073e078.shtml

ioanniatr Fri, 10/01/2010 - 03:56

So let's see if i get it right. there are 2 cases:

1 - E and F directlt connected with no networks between them and simply add Static Routes to E:

          ip route

          ip route 254

          where 254 is the metric?

          what if (the 1st ip route) they have defautl route:

               ip route 0.0.0.0 0.0.0.0.0

         I haven't seen the routing table on E yet(i'll take a look on Monday), but i think that this is big probability.

2 - E and F with networks between them(2nd tunnel through another ISP, with E and F to be like A-D DSL Routers):

          Config Router E with SLAs from " 1st link" that you post.

          ip route track      // main default route

          ip  route 255     //  default route with a higer metric which kicks in when the main default  route goes down

Both cases: I 'll config A and D with IPSec from link 2

     But i don't have access to that link. Is there any way to get access or to see the file of that link?

I think that the first one is my case, but it's good to see any other possibility's !!

Correct Answer
apsanghi Fri, 10/01/2010 - 17:47

Hi John,

Yup, you have got both the points correctly.

For point 1, 254 is the metric of the route. We specify a higer metric here because if both the routes have the same metric then E will start load balancing between the two routes and we want E to use the default route to A only as a backup. So, we specify the metric so that the default route to A is used only when the main default route (default route to F) goes down.

I have attached a doc with the same example. I hope that helps.

Regards,

Apaar

ioanniatr Sat, 10/02/2010 - 03:36

Hi Apaar,

Great. I think that this will work !!

Although perhaps there is one last issue about flickering, when leased line goes down for few seconds. Can i do anything about that?

Thakns,

John

apsanghi Sat, 10/02/2010 - 22:18

Hi John,

As soon the leased line will go down the interface will go down, and as soon as the interface will go down the default route through the leased line will be deleted and the backup default route will be installed in the routing table. This change will be instantaneous. After that as soon as the interface comes up, the old default route (through the leased line) will come without any delay. So, even in such cases there should be no loss in service except for maybe a couple of packet drops.

However, if you are concerned about the flickering of the leased line then I would suggest you to start a discussion in the WAN team, they will be the right guys to help you out with this query.

Regards,

Apaar

ioanniatr Sun, 10/03/2010 - 08:45

Hi Apaar,

I 'll implement this scenario to see it in action. If i  'll have any problem with flickering, your advice is the first thing i shall do !

Realy this discussion it was very helpful. I couldn't see so clearly the solution of this problem without your help.

Once again,

Thanks,

John

Actions

This Discussion