cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1849
Views
0
Helpful
7
Replies
Highlighted
Beginner

Help with setting up failover to a site-to-site VPN

I have two 2901's currently connected with a site-to-site T1 connection. The company is looking at using Cradlepoint 4G modems as a failover connection between the sites. I have created an IPsec VPN tunnel over the Cradlepoints, but I can't figure out how to modify the routing to use the VPN tunnels as a failover connection in case the site-to-site T1 connection goes out. There is are no interfaces on the router associated with the tunnel so I'm having a hard time figuring out how to do this.
 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Ahh, so the IP SLA wont be much helpful in this scenario still you can use it for VPN tracking. My assumption was you have two redundant routers at same premises establishing tunnel with similar end points.

If I understood correctly:

Your T1 connection with EIGRP routing would be primary and Cardlepoint would be redundant link.

So you want both location LAN traffic among them to be auto fail-over using T1 and 4G links.

T1 is configured with EIGRP (It can remain as is) and 4G links needs to configure with static routing since its unsecured connection.

You can add specific static entries (similar to one you receiving from EIGRP) with increased AD.

For example your primary path for route 10.2.3.0/16 on UTICA router is T1 link learning from EIGRP with default AD 90.

So the static route will look like ip route 10.2.3.0 255.255.0.0 166.139.144.156 OR Fe0/1 120

In this scenario you will need to take Verizon help to route both LAN subnets from respective locations to vice-versa.

You could have configured Tunnel interface VPN end points. It would have given routing control in your hands instead asking vendor.

One more point you should careful while redistributing static route in EIGRP, filter if possible.

Hope this will help

 

Rate if you find helpful

View solution in original post

7 REPLIES 7
Highlighted
Frequent Contributor

I am making ususally loopback interfaces on both sides. then gre tunnel from loopback to loopback and then routing protocol over gre

to protect data you can use ipsec from loopback to loopback or tunnel protection

 

 

and dont forget to rate post

Highlighted
Rising star

Hi Wheymen,

 

Most easiest solution is to failover to your vpn-tunnel from T1 connection is using IP-SLA.  An example shown below, you may change it to suit with your environment.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I am tracking an object instance is "10" as shown below.

 

track 10 ip sla 1 reachability
delay down 10 up 10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Please follow the example.

I assume your 10.0.0.0/8 is reachable from your T1 connection and tractable object is 10 as per static route below and tracking object noted above.

 

ip route 10.0.0.0 255.0.0.0 172.16.2.2 name MYT1-Connection track 10

 

A second route is defined with higher cost for the same route and its cost is set to "20"


ip route 10.0.0.0 255.0.0.0 192.168.255.1 20 name MY-Cradlepoint

 

Now, I assume your have a loop-back address (i.e. 10.10.10.1) from remote-site that can be reached via T1 Connection.


ip route 10.10.10.1 255.255.255.255 172.16.2.2 permanent.

 

Now lets start the IP-SLA instance, put all pieces to work.

 

ip sla 1

 

icmp-echo 10.10.10.1 source-ip 10.1.1.2   (note: 10.1.1.2 local internal IP on your router)
timeout 20000
frequency 10

ip sla schedule 1 life forever start-time now
ip sla enable reaction-alerts

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Let me know, if this helps.

 

thanks

 

Highlighted

Thanks for the assistance and I have tried looking into IP-SLA, but I can't figure out how the local traffic would route through the VPN. I have no problem configuring IP-SLA for routing traffic straight to another gateway, but when the VPN is involved, I'm not sure how to  send traffic through the VPN instead of to the Cradlepoint's gateway.

I have attached a diagram and configs for the routers. For instance, on the Utica router, if I do something like:

ip route 10.0.0.0 255.0.0.0 10.4.1.2 name MYT1-Connection track 10

ip route 10.0.0.0 255.0.0.0 166.139.144.156 20 name MY-Cradlepoint



The second route statement has the Cradlepoint's gateway as the gateway. So if I send all 10.0.0.0/8 traffic to the Cradlepoint gateway, wouldn't it reject all that traffic since it doesn't know how to route it? I need something like:

ip route 10.0.0.0 255.0.0.0 VPN-TUNNEL name MY-Cradlepoint

 

But I can't figure out how to do that since the VPN tunnel doesn't have an interface.

EDIT: Got it figured out, thanks.

Highlighted
Beginner

You can do the fail-over from tunnel origin or end points using IP SLA (I find it most suitable).

You will need to create SLA object to track WAN end points (Not tunnel end point, however if you want use tunnel end IP then you need to ensure its not reachable from any other routing source) and associate it with your LAN interface HSRP group (Assuming your both routers are configured with HSRP).

You can use dynamic routing protocols or static routing, its your choice.

If you cannot do it on tunnel origin or end point then I would need more detail like if you could share the diagram.

 

HTH

Rate if you find it helpful.

 

Highlighted

I have attached a diagram and running configs.

Basically, I'm not sure how the IP-SLA would work with route statements pointing to the Cradlepoint's gateway. So if I send all 10.0.0.0/8 traffic to the Cradlepoint gateway, wouldn't it reject all that traffic since it doesn't know how to route it? I need something like:

 

ip route 10.0.0.0 255.0.0.0 VPN-TUNNEL name MY-Cradlepoint

But I can't figure out how to do that since the VPN tunnel doesn't have an interface.

Highlighted

Ahh, so the IP SLA wont be much helpful in this scenario still you can use it for VPN tracking. My assumption was you have two redundant routers at same premises establishing tunnel with similar end points.

If I understood correctly:

Your T1 connection with EIGRP routing would be primary and Cardlepoint would be redundant link.

So you want both location LAN traffic among them to be auto fail-over using T1 and 4G links.

T1 is configured with EIGRP (It can remain as is) and 4G links needs to configure with static routing since its unsecured connection.

You can add specific static entries (similar to one you receiving from EIGRP) with increased AD.

For example your primary path for route 10.2.3.0/16 on UTICA router is T1 link learning from EIGRP with default AD 90.

So the static route will look like ip route 10.2.3.0 255.255.0.0 166.139.144.156 OR Fe0/1 120

In this scenario you will need to take Verizon help to route both LAN subnets from respective locations to vice-versa.

You could have configured Tunnel interface VPN end points. It would have given routing control in your hands instead asking vendor.

One more point you should careful while redistributing static route in EIGRP, filter if possible.

Hope this will help

 

Rate if you find helpful

View solution in original post

Highlighted

Yes, all your assumptions are correct. Question on this:

ip route 10.2.3.0 255.255.0.0 166.139.144.156 OR Fe0/1 120

If I specify 10.2.0.0 255.255.0.0 Fe0/1 120 with my current config, I suppose the router knows how to route those packets since it has a crypto-map applied to it? I think I can just use that static route if specifying the interface as the gateway will work like I think it will.

There's no way I can get Verizon involved in routing the traffic so I'll have to look at tunnel interfaces.

EDIT: I made tunnel interfaces and now everything is great.