Solved: terminating IPsec tunnel over backup internet circuit

Amafsha1 · ‎12-27-2018

I’m hoping to word this as clearly as possible but I’m probably missing info. Very basic drawing attached. We have an edge router that 2 internet circuits terminate on. 1 is backup and 1 is primary. The configs are simple. We use local-pref – primary is 200, and secondary is 150 for outbound. We use prepend for controlling how traffic gets to us inbound. Secondary obviously prepended more. We get nothing more than just a default route from the ISP for both these circuits.

So to the questions: Is it possible to somehow terminate an ipsec tunnel on the secondary circuit? Since util is hitting high on the primary circuit, I would like to not throw more things onto that circuit and would like to use our backup circuit that never gets used (only for failover situation) to terminate the ipsec tunnel. Is this possible?

Re-read my post and realize I’m not being clear at all.

So the IP I would obviously use to make this IPsec tunnel would be the IP of my secondary circuit interface. So this would only work on the secondary circuit and it would not failover or work on the primary….that is fine. Just wondering if this would work…

Here are the configs for the edge router and firewall:

Firewall#
interface Port-channel10.771
nameif Outside
security-level 0
ip address 172.28.255.1 255.255.255.0 standby 172.28.255.2
 
 
 


Edge Router#
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0/0   172.28.255.125       YES NVRAM  up                    up
GigabitEthernet0/0/1   63.1.1.234               YES NVRAM  up                    up
GigabitEthernet0/0/2   209.1.1.68                YES NVRAM  up                    up
GigabitEthernet0/0/3   unassigned              YES NVRAM  administratively down down
 
 
!
interface GigabitEthernet0/0/0
description to Firewall
ip address 172.28.255.125 255.255.255.0
ip nat inside
speed 1000
no negotiation auto
end
 
!
interface GigabitEthernet0/0/1
description primary internet circuit
ip address 63.1.1.234 255.255.255.248
ip nat outside
speed 1000
no negotiation auto
end
 
!
interface GigabitEthernet0/0/2
description backup internet circuit
ip address 209.1.1.68 255.255.255.240
ip nat outside
speed 1000
no negotiation auto
end


Edge Router# sh ip bop
    Network          Next Hop            Metric LocPrf Weight Path
*   0.0.0.0          209.1.1.67                150      0 7385 i
*                    209.1.1.66                150      0 7385 i
*>                   63.1.1.233           0    200      0 209 i

Joseph W. Doherty · ‎12-28-2018

Perhaps a static route, to the tunnel's destination IP, via the backup interface.

View solution in original post

Richard Burts · ‎12-29-2018

Thanks for the additional information. The configs are helpful and knowing that this will be a simple lan to lan ipsec with crypto map means that the implementation is really simple (is there an ipsec implementation that is really simple? at least this is simple relative to other more complex ipsec).

You pretty much have identified the steps that you need to do. Here is my summary of what you should do:

1) configure an access list to identify the traffic to be protected by encryption

2) configure a transform set, isakmp parameters, and crypto map for the ipsec

3) assign the crypto map to the secondary ISP interface

4) configure a static route for the remote peer address and specify the next hop as the next hop address on your secondary ISP interface

Taking care of return traffic is really easy (and this time I do mean really easy). Since the remote peer will be using the IP address of your secondary circuit as their remote peer address their traffic to you will automatically come to your secondary interface. You do not need to do anything.

HTH

Rick

HTH

Rick

View solution in original post

Joseph W. Doherty · ‎12-28-2018

Perhaps a static route, to the tunnel's destination IP, via the backup interface.

Amafsha1 · ‎12-29-2018

Yeah I was thinking about that. That seems like too easy of a fix lol. I just posted some usefull configs back into the post, maybe that will help. If i put a static route on the edge router to point the peer ip, lets say 1.1.1.1 to use the secondary circuit ip of 209.1.1.x, what will that say about the return traffic?

Joseph W. Doherty · ‎12-30-2018

By default, return traffic will take best path back, unless you somehow also "force" it to take another path.

rmfalconer · ‎12-28-2018

I'm still not sure what you're trying to accomplish. What traffic are you trying to send over the tunnel? Is this a desired backup for certain WAN traffic?

Amafsha1 · ‎12-29-2018

I posted some configs above. This is a L-2-L crytomap tunnel. I want the peer to be able to access resources on our network here.

Richard Burts · ‎12-29-2018

Thanks for the additional information. The configs are helpful and knowing that this will be a simple lan to lan ipsec with crypto map means that the implementation is really simple (is there an ipsec implementation that is really simple? at least this is simple relative to other more complex ipsec).

You pretty much have identified the steps that you need to do. Here is my summary of what you should do:

1) configure an access list to identify the traffic to be protected by encryption

2) configure a transform set, isakmp parameters, and crypto map for the ipsec

3) assign the crypto map to the secondary ISP interface

4) configure a static route for the remote peer address and specify the next hop as the next hop address on your secondary ISP interface

Taking care of return traffic is really easy (and this time I do mean really easy). Since the remote peer will be using the IP address of your secondary circuit as their remote peer address their traffic to you will automatically come to your secondary interface. You do not need to do anything.

HTH

Rick

HTH

Rick

Amafsha1 · ‎12-29-2018

Thank you for explaining this. I just have one more question. I should've included it originally, but I didn't want to throw 2 questions in at the same time. Let's say that the edge router currently has this config below:

ip nat inside source static esp 172.28.255.1 interface GigabitEthernet0/0/1
ip nat inside source static udp 172.28.255.1 500 interface GigabitEthernet0/0/1 500

I think this config was put in for the other ipsec tunnel we have running over the primary internet circuit right now. If I input the nat translations command you see the following:

Edge Router #sh ip nat translations 
esp  63.1.1.234        172.28.255.1          13.13.12.67:8017     13.13.12.67
esp  63.1.1.234        172.28.255.1:         13.13.12.67          13.13.12.67
esp  63.1.1.234        172.28.255.1:         13.13.12.67          13.13.12.67
esp  63.1.1.234        172.28.255.1:         13.13.12.67          13.13.12.67
esp  63.1.1.234        172.28.255.1:         13.13.12.67          13.13.12.67
esp  63.1.1.234        172.28.255.1:         13.13.12.67:16       13.13.12.67
esp  63.1.1.234        172.28.255.1:         13.13.12.67:4        13.13.12.67
esp  63.1.1.234        172.28.255.1:         13.13.12.67:8192     13.13.12.67:2
esp  63.1.1.234        172.28.255.1:         13.13.12.67:40548    13.13.12.67:6995
esp  63.1.1.234        172.28.255.1:         13.13.12.67:32768    13.13.12.67
esp  63.1.1.234        172.28.255.1:         13.13.12.67          13.13.12.67:328
esp  63.1.1.234        172.28.255.1:         13.13.12.67:65535    13.13.12.67:65535

So now I'm wondering that if I make an ipsec tunnel on the firewall to go over the second circuit like we discussed, this NAT configs will automatically translate that IP to use g0/0/1 which is primary internet circuit and this probably would not work to use the second circuit because of this nat command correct? Would I need to use an IP address that the backup ISP has provided to me and write a new NAT statement on the edge router?...so that way the source address on the outside interface will not be 172.28.255.1 when going into the edge router... and instead be something else right? I hope my question is clear. Thank you for your help

Richard Burts · ‎12-30-2018

This translation is for an ipsec vpn running on the firewall. This and your second question bring up an aspect that I had not considered. I had been assuming that the ipsec vpn you were talking about using the secondary circuit would be running on the router. But you are asking about setting up the second lan to lan vpn on the firewall. This changes my suggestions. One complication is that there is an address translation for the firewall outside interface for the protocols esp and isakmp. For the second vpn you need the same ports to be translated for the secondary circuit interface. But you can not have 2 translations on the same interface for the same protocols. Is there another interface on the firewall that could be used for the new vpn?

HTH

Rick

HTH

Rick

Amafsha1 · ‎12-30-2018

aaaah ok I think I understand what you're saying, yes I believe you are definitely correct and I somehow need to have a second outside interface on the firewall to have this tunnel run over. I guess I can use g0/0/3 on edge router which is not being used and connect that the firewall to be the 2nd outside interface. Do you think that this is a pretty straightforward process?

1. connect the cable between g0/0/3 on edge router to firewall

2. create new sub-interface on firewall with new subnet for new outside IP address range

3. put in the 2 NAT statements on the edge router to translate for the firewall new outside interface for the protocols esp and isakmp

4. put static route on firewall to direct the peer address to use the new outside interface

you think I have it all here? Much appreciated on your help

Richard Burts · ‎12-31-2018

That sounds about right. Is there a crypto map on the firewall outside interface for the existing vpn? You may need a similar crypto map (and perhaps other crypto configuration) for the new vpn.

HTH

Rick

HTH

Rick

Amafsha1 · ‎12-31-2018

Thanks a lot for your help Richard. I guess there are multiple right answers here since I threw that 2nd question in there out of nowhere.

Richard Burts · ‎12-31-2018

Yes frequently there is more than one way to do something in networking and each way could work successfully.

HTH

Rick

HTH

Rick

Richard Burts · ‎12-29-2018

If we had more information we would be able to provide better answers. Will this ipsec be a simple implementation with a crypto map? Will it be ipsec with gre? Will it be ipsec with vti? But with the very little that we know we can say that in general it is quite possible to have most traffic using the primary circuit with failover to secondary and to have ipsec terminated on the secondary circuit.

HTH

Rick

HTH

Rick

Amafsha1 · ‎12-29-2018

Thank you for responding. This will be a simple crypto map implementation. I just posted some configs that will be more helpful. I'm just wondering if I put a static route to point the new tunnel peer, lets say their IP is 1.1.1.1 do I put a static route on the edge router that says 1.1.1.1 please use 209.1.1.x(secondary IP). That takes care of the outbound I guess, but I'm still lost on the inbound part.