Re: VPN Site to Site Redundancy

amohabir1 · ‎09-05-2006

I attached a diagram for easier clarification so please open before you read further.

I have multiple sites set up as site to site or LAN to LAN vpns. I have three setup on a pix 515 and 2 on a VPN 3015 concentrator.

What I am looking to achieve since we cannot afford downtime due to the nature of our business is to add some redundancy into the network. Whether I do it by adding an additional firewall, VPN concentrator or utilizing what I currently have the diagram should be clear enough to figure out where I'm asking for help.

The way I imagine it is to have two ISPs running BGP so in the event of router failure, my network will still be available across the other ISPs connection. For either the pix or the vpn concentrator, I imagine running VRRP and or the stateful failover (for the pix). What I want to do is make sure that at any given time if there is link or equipment failure host A on network A can talk to host B on network D. I believe this includes me running some sort of routing protocol (most likely OSPF).

What I am trying to figure out is what is the best way to approach the creation of the vpn tunnels. Should the remote end have a tunnel with each firewall/vpn concentrator; and then run OSPF across it? Or should I take advantage of something like DMVPN? Would I need GRE tunnels in this case? I am looking for high availability. Any ideas are highly appreciated.

The best case scenario would include having redundant equipment and links at the remote sites as well. But for now I want to concentrate on the main site.

Thanks

amohabir1 · ‎09-06-2006

Anyone have any comments, suggestions on this?

Fernando_Meza · ‎09-06-2006

Hi ..

1.- You could set up failover between both PIXes

2.- Configure your borders routers to run BGP with your ISPs. Request from them to inject a default route only to the AS configured on your border routers respectively.

3.- Configure OSPF between your border routers and your PIXes and inject a default route in to OSPF with different metrics so that the main link is used as the preferred path. ( default-information originate metric XXX metric-type 1 ) where XXX is the metric. This will be a lower number on the main link.

4.- Configure the remote headend device ( hopefully a PIX) as VPN client. This will give you the option to have more than one VPN Servers ( The PIX at the central location ).

5.- Because you are using two different ISPs then you would need to use TWO routable IP addresses for the VPN termination at the central location. This could be done by running private addressinf bertween your borders routers and your PIX and configuring static NAT on your border routers accordingly. Basically the PIX will appear as x.x.x.x when using ISP 1 and y.y.y.y when using IPS2. Therefore the remote PIX needs to have x.x.x.x as the primary VPN server and y.y.y.y as the backup server ( In the event that the IPS1 link goes down ).

Please have a look at the below links which would give you a better idea of what you need to do.

" Basic Configuration

To enable the PIX Easy VPN Remote client to communicate with the Easy VPN Server, you

need to identify the location of the Easy VPN Server using the vpnclient server command.

The syntax for this command is as follows:

vpnclient server {Primary_IP} [Secondary_IPs]

You need to specify the IP address of the primary Easy VPN Server. In addition to the primary

Easy VPN Server, you also can specify up to ten additional secondary Easy VPN Servers. If

the primary server is not accessible, the client will use one of the secondary server "

http://www.cisco.com/en/US/partner/tech/tk365/technologies_configuration_example09186a00800945bf.shtml#conf4

I hope it helps .. please rate it if ti does !!!

patrick.preuss · ‎09-07-2006

Hello amohabir1,

i would suggest you go in the Direction of DMVPN so you will have redundacy on Routing Protocol Layer.

You can implement easy dial around the cloud.

If one router fails you have backup on the VPN Side with multiple routers.

You can add with out mutch work new networks more and bigger routers. If need can you have communication between all sites.

You only need fixed addresses for the central site.

You must not have bgp you can setup this with IP Addresses given to you by your provider.

regards Patrick

roluce · ‎09-11-2006

We are running a 300 site network using static IPSec/GRE for the purpose of providing high availability to the business. Really, keeping everything in mind, the Internet is probably the best medium available for HA.

We normally have two connections to our manufacturing locations, from two different ISPs. Two seperate routers, one on each link, and we use GRE Keepalives on the tunnels. DMVPN does not allow for GRE Keepalives, so we do our tunnel configuration manually.

GRE Keepalives really ends up being the routing protocol in our case, transisioning the GRE interface Up/Down as needed if the remote end of the tunnel becomes unavailable. With this being the case, any routing protocol can be used with the same efficency since Cisco will beging reconvergence based on the state of an interface changing (BGP/EIGRP/OSPF). Since GRE Keepalives are very low overhead, we keep the keepalive timing fairly tight. If there is an interuption in the network, normally the end users don't know it since all of our applications (minus voice) retry in the time it takes for the network to reconverge. The voice calls don't drop, but the voice call becomes garbled (per-packet load balancing, that's a different conversation) during the time that the network is reconverging, then goes back to clear as soon as the failed line has been downed by the router.

The other way to do it (which might be easier than our static GRE method) is to do two DMVPN networks. You'd probably want to do per-destination load balancing, but setting up two DMVPN networks would allow you to provide better reliability, with a minimum of configuration.

Email me if you have any more questions on our config.

Rob

its-system · ‎01-11-2007

Hello Rob,

I'm very interested in how you managed this.

I have the same idea for providing redundancy and more bandwidth to our spoke locations.

I tried DMVPN. This brings the tunnel down at the spoke-site, when there is a internet-problem but never brings the tunnel back up when connectivity is restored.

Help would be appreciated.