VPN path redundancy between two sites and a 3rd party

sanchezeldorado · ‎02-04-2021

Hello!

See attached diagram. I have two sites with a site to site vpn between them (ML and BT). iosv-0 represents my internet connection. Ignore the ext-conn-0. I also have a backup MPLS connection between them for redundancy (Represented by S3 on the diagram). When one site loses primary internet, all traffic including internet goes over the backup MPLS. This works great with one exception. Each of my sites has a site to site VPN to a 3rd party google cloud VM for sage. Here's my scenario. If I lose internet on the BT side, I lose the VPN and all traffic re-routes across the MPLS and out the ML side. The sage VPN to ML interesting traffic only specifies the ML addresses. The BT side only specifies the BT addresses. I'm wondering what the best way would be for all this to work. I know there are different ways to tackle this, but what's the best practice for something like this. When everything is up and running I want traffic from sage to ML to go directly to ML. I also want traffic from sage to BT to go directly to BT. Am I correct, that I can't specify both BT and ML addresses as interesting traffic on both VPN tunnels? How would google know which site to send it to? If the answer is a routing protocol, how do I configure that through VPN?

Thanks in advance!

Andy

Georg Pauwen · ‎02-05-2021

Hello,

I guess the easiest would be to configure a 'backup' VPN on both sites, peering with Google, and then configure a failover (such as an IP SLA) that routes interesting traffic through the backup VPN. What kind of VPN is that (IPSec/GRE/VTI) ? Can you post the config of one of the site routers ?

sanchezeldorado · ‎02-09-2021

Hey Georg!

Sorry for the delayed response. I've been looking this over along with some different options. I'm using Cisco FTD firewalls for the live configuration, but I'm using ASA firewalls in a lab environment as a proof of concept first. It's an IPSEC VPN. I like your idea, but I guess what I'm confused about is that what I essentially need is two VPNs between the same two devices. I have a /28 block of external IPs, so I could use more than one IP to differentiate, but I'm wondering if it's possible for me to setup a VPN using the non interface IP address. For example, my "External addresses" on one side of my lab is 10.255.255.16/28. My firewall is using 10.255.255.18 on the interface, but in order to configure a second VPN as a backup, I assume I would need to use another external IP like 10.255.255.19. I know how to nat internal traffic out a secondary IP address, but I don't know how I would get a VPN to negotiate with that IP.

Georg Pauwen · ‎02-10-2021

Hello,

looking at your original post:

--> When one site loses primary internet, all traffic including internet goes over the backup MPLS.

This is important. When the backup VPN peers with the same IP address as the primary VPN, you practically gain nothing, since both won't work when the primary is down. So ideally you need a backup VPN that not only peers with another IP address, but also with another ISP (all of that, to make it a true backup, configured on another device).