Possible failover scenarios for VPNs over primary/secondary peers
We have a few clients that we establish VPNs with. The ones that use Juniper routers for VPNs want to establish a failover configuration where our VPN would dynamically route over a VPN to their secondary peer address. Their secondary peer address is on their own backup internet circuit.
They have no problem with making the failover dynamic on their side.
We have to manually change a static route to point to their secondary peer address as the gateway for their internal network before the traffic takes the secondary path. Since this client is on the other side of the world, this involves waking the oncall engineer in the middle of the night which is inherently a kludgey process.
Here's our config. I'm open to suggestions. These IP's are fictitious of course and we proxy route the public IP thru the internet firewall to enable the public loopback. Inside and outside VPN router interfaces are privately addressed.
The routes we have to change to route to their secondary peer would be these statics:
no ip route 192.168.1.0 255.255.255.0 a.a.a.a
ip route 192.168.1.0 255.255.255.0 b.b.b.b
10.1.x.0 and 10.1.y.0 are our local networks.
crypto map CryptoMap local-address Loopback0
crypto map CryptoMap 180 ipsec-isakmp
description VPN to client - both peers required!!!
set peer a.a.a.a
set peer b.b.b.b
set security-association lifetime kilobytes 4096
set transform-set Transform
set pfs group2
match address Client-networks
ip address 22.214.171.124 255.255.255.0
crypto map CryptoMap
ip route 192.168.1.0 255.255.255.0 a.a.a.a
ip route a.a.a.a 255.255.255.0 [firewall]
ip route b.b.b.b 255.255.255.0 [firewall]
ip access-list extended Client-networks
permit ip 10.1.x.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 10.1.y.0 0.0.0.255 192.168.1.0 0.0.0.255
The following example uses an SLA operation to install a default route to the 10.1.1.1 gateway on the outside interface. The SLA operation monitors the availability of that gateway.If the SLA operation fails, then the backup route on the dmz interface is used.
hostname(config)# sla monitor 123
hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outside
hostname(config-sla-monitor-echo)# timeout 1000
hostname(config-sla-monitor-echo)# frequency 3
hostname(config)# sla monitor schedule 123 life forever start-time now
Re: Possible failover scenarios for VPNs over primary/secondary
Ah. Good. Thanks for pointing it out. I found it now.
VPN02(config)#ip sla monitor ? <1-2147483647> Entry Number apm IP SLA Monitor APM Configuration group Group configuration or Group scheduling key-chain Use MD5 authentication for IP SLA Monitor control message logging Enable logging low-memory Configure low water memory mark reaction-configuration IP SLA Monitor Reaction Configuration reaction-trigger IP SLA Monitor trigger assignment reset IP SLA Monitor Reset responder Enable IP SLA Monitor Responder restart Restart an active entry schedule IP SLA Monitor Entry Scheduling slm Service Level Management
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...