Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
667
Views
8
Helpful
10
Replies

VPN Backup Architecture

gdelpanta
Level 1
Level 1

‎04-19-2006 02:33 AM - edited ‎02-21-2020 02:22 PM

Hello,

I'm in this situation:

- A VPN 3000 at the core.

- Spokes are Cisco IPSEC Router on internet.

Some of these routers have two Internet Gateways provided by two different ISP.

The Second gateway is used as backup of the First internet Gateway.

When Spoke Router go to Internet throught the First gateway it has a public address IPADD_1 in the address space range provided by First ISP (using static NAT).

When Spoke Router go to Internet throught the Second gateway it has a public address IPADD_2 in the address space range provided by Second ISP (using static NAT).

I have configured VPN with two LAN-to-LAN connections using IPADD_1 and IPADD_2 as endpoints; but i have problems when set the same private network reachable by both IPSEC Tunnels.

Exactly, it happen the following:

when i use first ISP, all works fine beecause the first LAN-to-LAN connection is matched on VPN.

When the first ISP goes down, the spoke try to use the Second ISP. But VPN second LAN-to-LAN connection doesn't come up (unless i manually disable first LAN-to-LAN connection). I have tried NAT configuration of private networks to differetiate destination of LAN-to-LAN connections. But it works only for traffic from spoke to Core.

Somone have a suggestion ?

Thank you.

Labels:
0 Helpful
10 Replies 10

attrgautam
Level 5
Level 5

‎04-19-2006 02:44 AM

On the Hub location this should be the configuration

crypto map test 10 ipsec-isakmp

match address 100

set transform-set test

set peer

set peer

crypto isakmp keepalive 10

So if the first peer is not reachable, DPDs will help form with the 2nd peer. Ensure keepalives are present at both locations.

0 Helpful

gdelpanta
Level 1
Level 1
In response to attrgautam

‎04-19-2006 07:09 AM

... the problem is etherogeneous type of devices.

VPN conentrators are not IOS router and Dead Peer Detection (i think) work only with a couple IPSEC IOS peers.

I'm agree ...

with VPN to VPN

or

with IOS to IOS

i'm able to manage backup peers (and paths).

but VPN to IOS ???

Thank you.

gdp

0 Helpful

Patrick Laidlaw
Level 4
Level 4
In response to gdelpanta

‎04-19-2006 11:10 AM

I've been trying to read up on vpn backup solutions and would like to figure out a way to learn routes through my vpn and then use that vpn to get to that network. Any sugestions?

Patrick

0 Helpful

attrgautam
Level 5
Level 5
In response to Patrick Laidlaw

‎04-19-2006 08:44 PM

Patrick

Did you check ipsec Reverse route injection ? Or do you want to check the remote network's health ? Then probably you can do a VTI and advertise the remote LAN over the tunnel interface.

Let me know if iam off the mark.

Patrick Laidlaw
Level 4
Level 4
In response to attrgautam

‎04-19-2006 11:08 PM

I was thinking that was my answer but I haven't done any VTI ipsec tunnels yet and was going to spend some time this weekend working with that idea. Right now my client has a fairly large vpn network with a product line called Sonicwalls which have been great for them because of there centralized management. But there up time is terrible. I was trying to find out what the full capabilites of the ASA/pix 7.x software was capable of. I really would like to put those at the edge instead of a router connected to the internet with a firewall feature set.

Has anyone used the ASA/pix 7.0 in this manner are they capable of doing vpn's like the VTI links with the ability to run ospf over the VPN tunnels.

Appreciate any answers more questions to think about etc.

0 Helpful

attrgautam
Level 5
Level 5
In response to gdelpanta

‎04-19-2006 08:48 PM

I am not very much aware of vpn concentrators but i think they do allow for dead peer detection. It will be well worth a try and i think it should work. Let me know how it goes.

0 Helpful

gdelpanta
Level 1
Level 1
In response to attrgautam

‎04-19-2006 11:52 PM

On Spoke Router i configure:

crypto isakmp keepalive 10

On hub VPN 3000 on

"Configuration | User Management | Groups" menu

i select the groups related to LAN-to-LAN connections and check IKE Keepalives.

Unfortunataly doesn't work.

It works only if i manually Disable Primary LAN-to-LAN Connection on VPN 3000.

Regards.

gdp

0 Helpful

attrgautam
Level 5
Level 5
In response to gdelpanta

‎04-20-2006 12:01 AM

Any logs on the router or the vpn concentrator ?

0 Helpful

gdelpanta
Level 1
Level 1
In response to attrgautam

‎04-20-2006 04:49 AM

in attach the logs

regards

gdp

Preview file
427 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents