I have the task of setting up the following:
Router, probably running BGP, terminating 3 ISPs, configured to provide failover. These 3 ISPs are the outside interfaces and they have all provided their separate range of public IP addresses. The 3 ISPs only provide internet access for VPN tunnels to run over them and nothing more. So no need to worry about internet bound traffic or the other way round.
The inside interface of the router is connecting to an ASA that is configured to run site to site VPN configuration between this site and 5 other remote locations. Different ISPs provide the internet access in those remote locations. Each remote location has an ASA where their VPN tunnel runs through.
So what I need to achieve is configure the router and ASA in such a way that the router provides a failover from ISP1 to ISP2 whenever ISP1 fails. This failover would be transparent to end users but will be automatic such that the VPN tunnel will then be established over the ISP that has been failed over to.
I'm thinking BGP on the router with multihoming configuration but then i get stuck when I have no AS number and no internet routable block of IPs to use between the router's inside interface and the outside interface of the ASA.
I have an image attached.
Any ideas on how best and easily to go about this? BGP or any other solution?
Sounds like you need DMVPN, no? However, DMVPN aside, looks like you only need to do the following:
Your VPN is using the router AND the ISPs as transport. If the ASAs at the remote site have public IP addresses, then from the perspective of the local site's VPN, it doesn't matter which ISP ( path) is taken to reach its remote peer. You want to avoid load-balancing between ISPs however, as VPNs are sensitive to latency/packet loss.
Rate if helpful.
Thanks for your feedback.
Your suggestion does sound interesting and I would be willing to give it a try immediately.
How do you create SLA probes to track the ISPs' respective next hops? Would you be so kind as to give me a sample config capturing your suggestion that I can start with please?
For the VPN on the local (HO) side, yes it doesn't really matter which ISP is taken to any of the remote peer. However, I believe the remote peer must be configured in such a way to allow the setup of a VPN tunnel to the HO site, regardless of which of the 3 ISPs its coming through. So provision, I believe must be made for all 3 ISPs in the peer to peer VPN config, right? This for me is where my second concern lies...
Thanks again and hope to hear back from you soon.
Based on your requirements, a DMVPN setup definitely seems most appropriate. You should look into it as I believe ASA can do DMVPN.
Now aassuming all you can do is site to site VPNs, then yes you need to configure multiple tunnels at the remote site. The ASA then would need an IP address on each of the IP blocks assigned from the ISPs at the HO for terminating the VPNs.
If you can get your own direct IP allocation then your ASA needs only one IP from your allocation for VPN termination. In this scenario, you could run BGP with the ISP but this may not be strictly necessary (you could get them to just use a stactic route for your allocation with the next hop being your side of the /30 with them). An ASN is required however if you use BGP.
If you go with a DMVPN solution, then your HO ASA need only have an IP from each of the ISPs blocks. Your remote sites then just get configured with 3 next hop servers.
Your question is really design focused, so I start to address it at the design level. I cannot provide any configuration examples until I know specific environment and have your specific configurations. Please check reference appropriate for your version of ASA/ IOS. Please see the attached solution diagram. This solution does not address tunnel security or routing between sites-- I only attempt to address the VPN aspect given your description and your requirements.
Basically, at the HO site:
As far as the HO ASA configuration, you need to do the following:
On the Remote Site ASAs the configuration is reduced to specifying a single Crypto-Map with multiple peers (see diagram):
Now, about DMVPN
You can only use DMVPN with Routers as GRE is not supported on ASA (IIRC). The ASA version of DMVPN is Dynamic IPSec tunnels. From a design perspective, if you used DMVPN on router vs. Dynamic IPSec on ASA, you are just moving the tunnel functionality from one device to the other. In your case, you've already paid for an ASA, might as well use it--DMVPN may require a VPN license on the router which may come as a cost.
Rate if helpful
Also wanted to point out a few more things regarding my solution:
Please let me know your feedback.
Thanks for this new insight. However, I did struggle to understand the concept of introducing the VLANs in this config, and I still am struggling to figure this out.
I however will attempt to shed some more light on the existing config and setup. Please refer to the attached image which pretty much shows a logical connection between the remote sites and the HO.
In summary, each remote site has an ASA, and one single ISP connection which is provided by a different ISP from the others. Each remote site has an ISP provided public IP address configured on the outside interface of the ASA and also used in the setup of the point-to-point tunnel between the Remote site and the HO.
As you already know, the HO also has an ASA directly connected to the router. The router has a physical connection to all 3 ISPs. The ASA has a point-to-point static VPN config to all the remote sites.
See a piece below from the HO ASA:
crypto map Outside_map 1 match address Outside_cryptomap_1
crypto map Outside_map 1 set pfs
crypto map Outside_map 1 set peer a.a.a.a
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 1 set security-association lifetime seconds 28800
crypto map Outside_map 1 set security-association lifetime kilobytes 4608000
crypto map Outside_map 2 match address Outside_cryptomap
crypto map Outside_map 2 set pfs
crypto map Outside_map 2 set peer b.b.b.b
crypto map Outside_map 2 set transform-set ESP-3DES-SHA
crypto map Outside_map 2 set security-association lifetime seconds 28800
crypto map Outside_map 2 set security-association lifetime kilobytes 4608000
crypto map Outside_map 3 match address Outside_cryptomap_2
crypto map Outside_map 3 set pfs
crypto map Outside_map 3 set peer c.c.c.c
crypto map Outside_map 3 set transform-set ESP-3DES-SHA
crypto map Outside_map 3 set security-association lifetime seconds 28800
crypto map Outside_map 3 set security-association lifetime kilobytes 4608000
crypto map Outside_map 4 match address Outside_cryptomap_4
crypto map Outside_map 4 set pfs
crypto map Outside_map 4 set peer d.d.d.d
crypto map Outside_map 4 set transform-set ESP-3DES-SHA
crypto map Outside_map 4 set security-association lifetime seconds 28800
crypto map Outside_map 4 set security-association lifetime kilobytes 4608000
crypto map Outside_map 10 match address Outside_cryptomap_10
crypto map Outside_map 10 set pfs
crypto map Outside_map 10 set peer e.e.e.e
crypto map Outside_map 10 set transform-set ESP-3DES-SHA
crypto map Outside_map 10 set security-association lifetime seconds 28800
crypto map Outside_map 10 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
tunnel-group a.a.a.a type ipsec-l2l
tunnel-group a.a.a.a ipsec-attributes
tunnel-group b.b.b.b type ipsec-l2l
tunnel-group b.b.b.b ipsec-attributes
tunnel-group c.c.c.c type ipsec-l2l
tunnel-group c.c.c.c ipsec-attributes
tunnel-group d.d.d.d type ipsec-l2l
tunnel-group d.d.d.d ipsec-attributes
tunnel-group TEST type remote-access
tunnel-group TEST general-attributes
tunnel-group TEST ipsec-attributes
tunnel-group e.e.e.e type ipsec-l2l
tunnel-group e.e.e.e ipsec-attributes
So with all your explanations so far, I'm not sure how to go about this issue.
What i initially had in mind was static routes in each location between that location and the HO. I was also exploring how to use this along with some sort of IP SLA with tracking. What do you think?
For the Asymmetric Routing issue, is it not possible to configure the HO Router to select the ISP to use in an order of preference such as ISP1 being preferred, ISP2 second preferred, ISP3 third preferred? Even though, thinking about it again, this may not resolve the issue entirely…
Bridging ISP to ASA: This for me was a confusion and I was lost at some point. Do you mind sharing sample config of what needs to be done on the HO ASA and the HO Router in light of this new development of not bothering to bridge ISP to ASA?
Going by your example, each ISP assigns only 1 range of IP block to use on the out interface of the HO Router. In our case we will have 3 blocks configured on 3 different out interfaces of the router. Does this imply using this sub interface option on the interface between the HO Router and ASA would not fly as we have to use a range of IPs provided by the ISP or can we use private IPs?
Could you help with a sample config, on both ASA and Router sides, to achieve this as I wasn’t clear with what i read up in the reference you provided and how it applies to my scenario?
Traffic Engineering: Yes you are right about this and we will manage this quite well
Hair-pining VPN traffic: The client already has site-to-site configured between remote sites. I however do not know how this option will apply to the new config because I still do not understand how the VLANs come into play here.
Here is what i came up with to be applied at the remote site ASAs
crypto map HO_ISP 10 ipsec-isakmp
crypto map HO_ISP 10 set connection-type originate-only
crypto map HO_ISP 10 set peer 220.127.116.11 default
crypto map HO_ISP 10 set peer 18.104.22.168 22.214.171.124
crypto map HO_ISP 10 set security-association idle time 120 default
I believe this will set preference in this order: 126.96.36.199, 188.8.131.52, 184.108.40.206?
As always, thanks for your valuable contributions.