ipsec vpn tunnel query

Raja_D · ‎05-09-2016

Hi,

Scenario:

Branch router connects to Service provider and from the SP MPLS cloud the connectivity goes to the Head end router. BGP is the Protocol used to establish ebgp neighborship with the Service provider for the Branch router with SP peer ip. In addition to this there is a ipsec VPN configuration in place defined with the ACL's through which the interesting traffic would be generated.

In a situation where the eBGP neighborship is down, but the link is up where we are able to reach the SP end ip address from the branch router, can we bring up a ipsec tunnel ?

Does ipsec tunnel rely on eBGP protocol or its totally based on the Interesting traffic that is generated from the source ACL which just requires the MPLS link to be up ?

Please clarify...

Joseph W. Doherty · ‎05-09-2016

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

The tunnel relies on tunnel packets being being delivered, end-to-end, between the two tunnel end-points.

Likely in the topology you describe, if BGP is down, tunnel packets won't be delivered between the tunnel end-points, and if not, the tunnel won't function.

Raja_D · ‎05-09-2016

So, it means that the ipsec tunnel won't get established if the bgp session is down although the link between the source and peer is up and reacheable in network (or) ipsec tunnel might get formed but it won't function properly ?

As per my understanding that although the BGP is either in Idle or Active state with neighbor , ipsec vpn tunnel can still be formed with the neighbor while interesting traffic gets generated from source Lan where the source wan ip is able to ping the peer wan ip address....

Joseph W. Doherty · ‎05-10-2016

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Not knowing exactly how your BGP supports your topology, cannot say whether it being down or up will impact your tunnel. However, as I noted, your topology needs to support tunnel packets being able to transit between the two tunnel end points. If it's not, tunnel won't work. (If you can ping between the two tunnel end-point, tunnel should work too.)

Richard Burts · ‎05-10-2016

I agree with Joseph that it is not clear in your explanation whether the peer addresses can communicate with each other when BGP is down. As Joseph has explained if both peer addresses can communicate with each other then the VPN tunnel can come up and can work and if the peer addresses can not communicate with each other then the VPN tunnel will not work. But it is not clear to us when the BGP is down whether the peer addresses can actually communicate with each other.

HTH

Rick

HTH

Rick