topic Out of curiosity, is this a in Network Security

ISP Failover - Internet Access to ISP1 and VPN Traffic to ISP2

Patrick Werner — Tue, 12 Mar 2019 04:21:16 GMT

Community.

I've successfully setup ISP Failover. Now all the traffic (internet and VPN) goes over ISP1 and if the connection fails to ISP1 it goes to ISP2.

But I like to have a different setup. All the internet traffic should go to ISP1 and all the VPN traffic should go to ISP2, but with Failover functionality.

That means. If ISP1 fails the internet traffic goes to ISP2. And if ISP2 fails the VPN Traffic goes to ISP1.

Is that possible ?

Best Regards patrick

Are we talking S2S VPN or RA

Marius Gunnerud — Fri, 20 Jun 2014 11:52:47 GMT

Are we talking S2S VPN or RA VPN?

Also, why would you want to the VPN over to ISP1 if ISP1 has failed?

But to answer your question...if it is an S2S VPN this is possible. If it is an RA VPN this is not possible because you would need the use of a default route to be able to access the remote IPs. But for site to site you can set a static route pointing out ISP2.

Now you would need two default routes and two static routes for the S2S VPN connection, the primary route would need a lower administrative distance than the secondary route. Then you would configure an IP SLA tracking, one for the default route and one for the S2S VPN static route. You would then assign the tracking to the route that you want active, once the tracking returns an unreachable or down response, that route will be removed from the routing table and the backup route will be installed in the routing table.

Please remember to select a correct answer and rate helpful posts

Hi Marius.Yes i need it for

Patrick Werner — Tue, 24 Jun 2014 07:22:07 GMT

Hi Marius.

Yes i need it for S2S VPN. I did the config as you mentioned. But I hadn't luck.

See the config of my SLA and Routing:

----------------------------------------------------------------------------------------

route OUT1 0.0.0.0 0.0.0.0 212.12.12.12 1 track 1
route OUT1 33.33.33.33 255.255.255.255 212.12.12.12 254

route OUT2 33.33.33.33 255.255.255.255 211.11.11.9 1 track 2
route OUT2 0.0.0.0 0.0.0.0 211.11.11.9 254

sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface OUT1
num-packets 3
frequency 15
sla monitor schedule 1 life forever start-time now

sla monitor 2
type echo protocol ipIcmpEcho 8.8.8.8 interface OUT2
num-packets 3
frequency 10
sla monitor schedule 2 life forever start-time now

----------------------------------------------------------------------------------------

33.33.33.33 is the VPN Peer at the other end. 212.12.12.12 is the primary default route for Internet access and 211.11.11.9 is the primary default route for the VPN.

Did I something wrong ?

Hope you can help and best regards Patrick

You need to assign the SLA to

Marius Gunnerud — Tue, 24 Jun 2014 07:30:58 GMT

You need to assign the SLA to a track ID

track 1 rtr 1 reachability

track 2 rtr 2 reachability

The format is:

track <track number> rtr <SLA number> reachability

Please remember to select a correct answer and rate helpful posts

I did that but forgot to post

Patrick Werner — Tue, 24 Jun 2014 07:45:24 GMT

I did that but forgot to post these 2 lines here. Is the rest of the config okay.

The reason this isn't working

Marius Gunnerud — Tue, 24 Jun 2014 07:51:52 GMT

The reason this isn't working is because you are tracking 8.8.8.8 on interface OUT2 which is your secondary interface...your default route does not point out that interface. I suggest you track an IP that you can configure a static route for which points out interface OUT2 and then test.

Please remember to select a correct answer and rate helpful posts

Hi,This should be your

nkarthikeyan — Tue, 24 Jun 2014 08:06:09 GMT

Hi,

This should be your complete planned configuration which looks okay for me.

route OUT1 0.0.0.0 0.0.0.0 212.12.12.12 1 track 1
route OUT1 33.33.33.33 255.255.255.255 212.12.12.12 254

route OUT2 33.33.33.33 255.255.255.255 211.11.11.9 1 track 2
route OUT2 0.0.0.0 0.0.0.0 211.11.11.9 254

sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface OUT1
num-packets 3
frequency 15
sla monitor schedule 1 life forever start-time now

sla monitor 2
type echo protocol ipIcmpEcho 8.8.8.8 interface OUT2
num-packets 3
frequency 10
sla monitor schedule 2 life forever start-time now
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!

But my suggestion would be to keep the respective gateway ip in track rather than keeping public dns(8.8.8.8). And you can also minimize the frequency time to do a quick fallback in case of outage.

HTH

Regards

Karthik

Hi Guys that was it. The

Patrick Werner — Tue, 24 Jun 2014 08:41:41 GMT

Hi Guys that was it. The routingis working now. I did as you metioned:

---------------------------------------------------------------------------------

sla monitor 1
type echo protocol ipIcmpEcho 212.12.12.12 interface OUT1
num-packets 3
frequency 15
sla monitor schedule 1 life forever start-time now

sla monitor 2
type echo protocol ipIcmpEcho 211.11.11.9 interface OUT2
num-packets 3
frequency 10
sla monitor schedule 2 life forever start-time now

-----------------------------------------------------------------------------------

The traceroute shows me now that the address 33.33.33.33 goes out the interface OUT2. But the VPn traffic still uses interface OUT1.

My crypto config:

------------------------------------------------------------------------------------

access-list ALC_VPN extended permit ip object OBJ_INS1_NET_192_168_1 object 10.41.16.0_22

nat (INS1,OUT1) source static OBJ_INS1_NET_192_168_1 OBJ_INS1_NET_192_168_1 destination static 10.41.16.0_22 10.41.16.0_22 no-proxy-arp route-lookup
nat (INS1,OUT2) source static OBJ_INS1_NET_192_168_1 OBJ_INS1_NET_192_168_1 destination static 10.41.16.0_22 10.41.16.0_22 no-proxy-arp route-lookup

crypto map OUT1_MAP 100 match address ALC_VPN
crypto map OUT1_MAP 100 set pfs
crypto map OUT1_MAP 100 set peer 33.33.33.33
crypto map OUT1_MAP 100 set ikev1 transform-set ESP-3DES-SHA
crypto map OUT1_MAP interface OUT1
crypto map OUT1_MAP interface OUT2

crypto ikev1 enable OUT1
crypto ikev1 enable OUT2
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group 33.33.33.33 type ipsec-l2l
tunnel-group 33.33.33.33 ipsec-attributes
ikev1 pre-shared-key *****

-------------------------------------------------------------------------------------

Hope you guys still like to help me 🙂

Best regards Patrick

The tunnel was most likely

Marius Gunnerud — Tue, 24 Jun 2014 08:46:05 GMT

The tunnel was most likely already established when you made these changes, you would need to tear down and and re-establish the VPN for it to point out the correct interface.

Please remember to select a correct answer and rate helpful posts

Hi Patrick,I agree with

nkarthikeyan — Tue, 24 Jun 2014 09:04:20 GMT

Hi Patrick,

I agree with Marius for break the VPN connection and try again. But i have a quick question here... does your VPN peer IP belongs to the ISP1 IP Stack???

I doubt in that way.... Not sure about that....

HTH

Regards

Karthik

I did "clear crypto isakmp sa

Patrick Werner — Tue, 24 Jun 2014 09:06:13 GMT

I did "clear crypto isakmp sa" and reopened the tunnel. But still the same, VPN doesn't go out the Interface OUT2. But if i disconnectthe cable from OUT1, the VPN Tunnel goes out the Tunnel OUT2.

Also, I forgot to mention,

Marius Gunnerud — Tue, 24 Jun 2014 09:09:14 GMT

Also, I forgot to mention, that you need to make sure that the remote end has a crypto map that also points to your second interface. If it doesn't then your VPN tunnel will not come up.

Please remember to select a correct answer and rate helpful posts

Hi Karthik.You asking about

Patrick Werner — Tue, 24 Jun 2014 09:09:58 GMT

Hi Karthik.

You asking about the other end VPN Peer ? The other end has a crypto config for both IP's ISP1 and ISP2.

Best regards Patrick

if you put the cable back it

nkarthikeyan — Tue, 24 Jun 2014 09:26:20 GMT

if you put the cable back it comes back thru ispl1 ?

you can try one thing.

no crypto map OUT1_MAP interface OUT1
crypto map OUT1_MAP interface OUT2

crypto map OUT1_MAP interface OUT1

no crypto ikev1 enable OUT1
crypto ikev1 enable OUT2

crypto ikev1 enable OUT1

Also on the other end ask them to point out2 interface IP as priority one and out1 as the backup one.

Hope this solves the issue then

HTH

Regards

Karthik

Hi Karthik.I tried that, but

Patrick Werner — Tue, 24 Jun 2014 10:00:48 GMT

Hi Karthik.

I tried that, but still the same.

This is the config of the other end.

crypto map outside_map 7 match address outside_cryptomap_7
crypto map outside_map 7 set pfs
crypto map outside_map 7 set peer 211.11.11.11 212.12.12.14
crypto map outside_map 7 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 7 set reverse-route

tunnel-group 212.12.12.14 type ipsec-l2l
tunnel-group 212.12.12.14 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 211.11.11.11 type ipsec-l2l
tunnel-group 211.11.11.11 ipsec-attributes
ikev1 pre-shared-key *****

Hi Patrick,Can you make like

nkarthikeyan — Tue, 24 Jun 2014 10:06:35 GMT

Hi Patrick,

Can you make like this for the crypto command.

crypto map outside_map 7 set peer 212.12.12.14 211.11.11.11

All we need to do is on the both the sides wherever you can prioritize ISP2 we have to do it and try.

Regards

Karthik

Even after a reboot, the VPN

Patrick Werner — Tue, 24 Jun 2014 10:07:10 GMT

Even after a reboot, the VPN don't go out the right Interface.

Hi Karthik.The primary should

Patrick Werner — Tue, 24 Jun 2014 10:30:08 GMT

Hi Karthik.

The primary should be a the first postion, i did that too.

But still the same.

Strange.

Regards patrick

Double check your static

Marius Gunnerud — Tue, 24 Jun 2014 10:45:53 GMT

Double check your static route for the remote peer. Make sure there isn't a typo. if it is correct issue the command show route and make sure that the peer route entry has the correct next hop. If you remove the route pointing out OUT1 does the issue still persist?

Please remember to select a correct answer and rate helpful posts

Hi Patrick, One last thing.

nkarthikeyan — Tue, 24 Jun 2014 11:16:19 GMT

Hi Patrick,

One last thing. Can you remove the VPN configurations/Static Routes/IP SLA which ever applicable on both the ends and put the ISP B related configuration 1st and then the ISP2.... then initiate the tunnel..... and try it out.... it should work as expected... Something like the below.... on bot the ends...

sla monitor 1
type echo protocol ipIcmpEcho 211.11.11.9 interface OUT2
num-packets 3
frequency 10
sla monitor schedule 2 life forever start-time now
!
sla monitor 2
type echo protocol ipIcmpEcho 212.12.12.12 interface OUT1
num-packets 3
frequency 15
sla monitor schedule 1 life forever start-time now
!
access-list ALC_VPN extended permit ip object OBJ_INS1_NET_192_168_1 object 10.41.16.0_22
!
nat (INS1,OUT2) source static OBJ_INS1_NET_192_168_1 OBJ_INS1_NET_192_168_1 destination static 10.41.16.0_22 10.41.16.0_22 no-proxy-arp route-lookup
nat (INS1,OUT1) source static OBJ_INS1_NET_192_168_1 OBJ_INS1_NET_192_168_1 destination static 10.41.16.0_22 10.41.16.0_22 no-proxy-arp route-lookup
!
crypto map OUT1_MAP 100 match address ALC_VPN
crypto map OUT1_MAP 100 set pfs
crypto map OUT1_MAP 100 set peer 33.33.33.33
crypto map OUT1_MAP 100 set ikev1 transform-set ESP-3DES-SHA
crypto map OUT1_MAP interface OUT2
crypto map OUT1_MAP interface OUT1
!
crypto ikev1 enable OUT2
crypto ikev1 enable OUT1
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group 33.33.33.33 type ipsec-l2l
tunnel-group 33.33.33.33 ipsec-attributes
ikev1 pre-shared-key *****
!
===========================================================================================

Same way on the other end
=========================
access-list outside_cryptomap_7 extended permit ip object 10.41.16.0_22 object OBJ_INS1_NET_192_168_1 (similar like this)
crypto map outside_map 7 match address outside_cryptomap_7
crypto map outside_map 7 set pfs
crypto map outside_map 7 set peer 211.11.11.11 212.12.12.14
crypto map outside_map 7 set connection-type bi-directional
crypto map outside_map 7 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 7 set reverse-route
!
crypto ikev1 policy 7
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group 211.11.11.11 type ipsec-l2l
tunnel-group 211.11.11.11 ipsec-attributes
ikev1 pre-shared-key *****
!
tunnel-group 212.12.12.14 type ipsec-l2l
tunnel-group 212.12.12.14 ipsec-attributes
ikev1 pre-shared-key *****
!

HTH

Regards

Karthik