Solved: Re: Dual vpn same site

argnetworking · ‎12-27-2010

Hi everyone, Im looking for an advise to make a configuration.

I have two sites that I have to connect with VPN. On each site I have two internet providers, each internet provider has their own router (Cisco 851) connected to the LAN.

What I want to do is configure two VPN tunnels on each site and set one of the as the primary VPN and the other as the backup VPN. It needs to be automatic, if one tunnel goes down the traffic should go through the other tunnel with no user intervention

How can I configure this?, any ideas or configuration examples would be great.

Thanks,

gonzalo

cciesec2011 · ‎12-29-2010

Make sure you disable icmp redirect on the routers. With this example,
I setup the configuration on router 1 and router 2. router 3 and router 4
should have similar to ensure proper routing.
router 1 external IP: 1.1.1.1
router 1 internal IP: 10.1.0.2/24
router 2 external IP: 2.2.2.2
router 2 internal IP: 10.1.0.3/24
router 3 external IP: 3.3.3.3
router 3 internal IP: 10.2.0.3/24
router 4 external IP: 4.4.4.4
router 4 internal IP: 10.2.0.4/24

router 1:
interface f0/0
ip address 1.1.1.1 255.255.255.252
interface f0/1
ip address 10.1.0.2 255.255.255.0
standby 10 name cciesec
standby 10 priority 105
stanbby 10 ip address 10.1.0.1
standby 10 preempt

interface tun0
ip add 10.100.1.1 255.255.255.0
tun source f0/0
tun dest 3.3.3.3
tunnel keepalive 10
no shut

ip access-list extended vpn
permit gre host 1.1.1.1 host 3.3.3.3

crypto isakmp key cciesec2011 address 3.3.3.3 no-xauth
crypto isakmp pol 10
authen pre
hash sha
encr 3des
group 2
life 86400
crypto ipsec trans tset esp-3des esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
set peer 3.3.3.3
set trans tset
set security life sec 3600
set pfs group2
match address vpn

interface f0/0
crypto map vpn

ip route 10.2.0.0 255.255.255.0 tun0
ip route 10.2.0.0 255.255.255.0 10.1.0.3 220

router 2:
interface f0/0
ip address 2.2.2.2 255.255.255.252
interface f0/1
ip address 10.1.0.3 255.255.255.0
standby 10 name cciesec
standby 10 priority 105
stanbby 10 ip address 10.1.0.1
standby 10 preempt

interface tun0
ip add 10.100.2.2 255.255.255.0
tun source f0/0
tun dest 4.4.4.4
tunnel keepalive 10
no shut

ip access-list extended vpn
permit gre host 2.2.2.2 host 4.4.4.4

crypto isakmp key cciesec2011 address 4.4.4.4 no-xauth
crypto isakmp pol 10
authen pre
hash sha
encr 3des
group 2
life 86400
crypto ipsec trans tset esp-3des esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
set peer 4.4.4.4
set trans tset
set security life sec 3600
set pfs group2
match address vpn

interface f0/0
crypto map vpn

ip route 10.2.0.0 255.255.255.0 tun0
ip route 10.2.0.0 255.255.255.0 10.1.0.2 220

With this configuration, under normal condition, traffics will use the VPN tunnel
between router 1 and router 3. If something happen to the VPN tunnel, the GRE tunnel
will go down the traffic from 10.1.0.0/24 to 10.2.0.0/24 will still hit router 1;
however, because the GRE tunnel between router 1 and router 3 is not available, the
static floating static route will kick in, R1 will then send traffics destined for
10.2.0.0/24 over to router 2. From there, R2 will tunnel this traffics over it own
GRE tunnel between R2 and R4.

The whole time, this GRE traffics going over the Internet will be encrypted by IPSec
tunnel.

With this setup, you don't even need to track any interfaces with your HSRP configuration.

View solution in original post

mulatif · ‎12-28-2010

Hi,

What type of VPN you are looking to implement ?

DMVPN, Easy VPN, Simple L2L VPN ?

Are you going to be running HSRP between the two ISP Routers on the Inside LAN Interfaces ?

Since the VPN router itself is going to be behind the ISP routers then nothing special needs to be done on this router. Eg. If the remote VPN peer is X then as long as traffic to X can be routed through either ISP (Using HSRP etc) then VPN will work.

Thanks,

Naman

argnetworking · ‎12-28-2010

Naman, Im attaching a diagram of what I have right now in terms of hardware. I have four routers, and I can bring up two vpns tunnels between Site-A and Site-B, one between router 1 and 3 and the other between router 2 and 4.

Let say I configure HSRP between router 1 and 2, so the PC1 can have a default gateway 10.1.0.3 (virtual IP). Would this be enough to get redundancy to site B?.

As I understand, HSRP works at the hardware level, what I mean is if one router goes down the other take the control. But what happens if just the VPN goes down but the router is up?, HSRP doesn’t know, how can I monitor this?

Thanks,

Gonzalo

cciesec2011 · ‎12-28-2010

it depends on how complicate you want the solution to be but here are several solutions:

solution #1: with dynamic routing procotol

on router 1: create a GRE tunnel to router 3;

on router 2: create a GRE tunnel to router 4;

on router 3: create a GRE tunnel to router 1;

on rotuer 4: create a GRE tunnel to router 2

create an IPSec tunnel between router 1 and router 3,

create an IPSec tunnel between router 2 and router 4,

put all of your GRE tunnel network and PC's network into either OSPF or eIGRP routing protocol. That will make everything transparently works.

solution #2: with static floating route

make sure you have a cross-over connect between router 1 with router 2, router 3 with router 4

on router 1: create a GRE tunnel to router 3;

on router 2: create a GRE tunnel to router 4;

on router 3: create a GRE tunnel to router 1;

on rotuer 4: create a GRE tunnel to router 2

send traffics between PC's network with the GRE as the next hop making the GRE tunnel between Router 1 and router 3 as primary. However, you also want to create a floating static route in router 1 to point to router 2 with a floating static routes of 220 in case the GRE tunnel between R1 and R3 goes down. The traffics will be re-routed over R2 and it will utilize the GRE tunnel between router 2 and router 4. You get the idea. Lot of static routes but it will work.

create an IPSec tunnel between router 1 and router 3,

create an IPSec tunnel between router 2 and router 4,

The IPSec tunnel is just a transport to tunnel your GRE traffics over the Internet safely.

Keep in mind that with HSRP multiple group setup, you can utilize both VPN tunnel.

argnetworking · ‎12-29-2010

cciesec2011 thanks for the information. Is it too much to ask for a basic configuration example for one of the routers?

I think I would prefer the option 2. I dont need to use both vpn at the same time, for now it is enough to have one as the primary and the other as a backup

Right now I have a vpn between router 1 and 3 that I built with the SDM wizard, I don´t think thats a GRE tunnel, right?

As I understand with HSRP I can check the status of the GRE tunnel and if it is down I can forward everything to the backup vpn tunnel?, how do I do that?

Thanks for any config or example that you can send.

Gonzalo

cciesec2011 · ‎12-29-2010

Make sure you disable icmp redirect on the routers. With this example,
I setup the configuration on router 1 and router 2. router 3 and router 4
should have similar to ensure proper routing.
router 1 external IP: 1.1.1.1
router 1 internal IP: 10.1.0.2/24
router 2 external IP: 2.2.2.2
router 2 internal IP: 10.1.0.3/24
router 3 external IP: 3.3.3.3
router 3 internal IP: 10.2.0.3/24
router 4 external IP: 4.4.4.4
router 4 internal IP: 10.2.0.4/24

router 1:
interface f0/0
ip address 1.1.1.1 255.255.255.252
interface f0/1
ip address 10.1.0.2 255.255.255.0
standby 10 name cciesec
standby 10 priority 105
stanbby 10 ip address 10.1.0.1
standby 10 preempt

interface tun0
ip add 10.100.1.1 255.255.255.0
tun source f0/0
tun dest 3.3.3.3
tunnel keepalive 10
no shut

ip access-list extended vpn
permit gre host 1.1.1.1 host 3.3.3.3

crypto isakmp key cciesec2011 address 3.3.3.3 no-xauth
crypto isakmp pol 10
authen pre
hash sha
encr 3des
group 2
life 86400
crypto ipsec trans tset esp-3des esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
set peer 3.3.3.3
set trans tset
set security life sec 3600
set pfs group2
match address vpn

interface f0/0
crypto map vpn

ip route 10.2.0.0 255.255.255.0 tun0
ip route 10.2.0.0 255.255.255.0 10.1.0.3 220

router 2:
interface f0/0
ip address 2.2.2.2 255.255.255.252
interface f0/1
ip address 10.1.0.3 255.255.255.0
standby 10 name cciesec
standby 10 priority 105
stanbby 10 ip address 10.1.0.1
standby 10 preempt

interface tun0
ip add 10.100.2.2 255.255.255.0
tun source f0/0
tun dest 4.4.4.4
tunnel keepalive 10
no shut

ip access-list extended vpn
permit gre host 2.2.2.2 host 4.4.4.4

crypto isakmp key cciesec2011 address 4.4.4.4 no-xauth
crypto isakmp pol 10
authen pre
hash sha
encr 3des
group 2
life 86400
crypto ipsec trans tset esp-3des esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
set peer 4.4.4.4
set trans tset
set security life sec 3600
set pfs group2
match address vpn

interface f0/0
crypto map vpn

ip route 10.2.0.0 255.255.255.0 tun0
ip route 10.2.0.0 255.255.255.0 10.1.0.2 220

With this configuration, under normal condition, traffics will use the VPN tunnel
between router 1 and router 3. If something happen to the VPN tunnel, the GRE tunnel
will go down the traffic from 10.1.0.0/24 to 10.2.0.0/24 will still hit router 1;
however, because the GRE tunnel between router 1 and router 3 is not available, the
static floating static route will kick in, R1 will then send traffics destined for
10.2.0.0/24 over to router 2. From there, R2 will tunnel this traffics over it own
GRE tunnel between R2 and R4.

The whole time, this GRE traffics going over the Internet will be encrypted by IPSec
tunnel.

With this setup, you don't even need to track any interfaces with your HSRP configuration.

argnetworking · ‎12-29-2010

Thank you very, very very much for the configuration. I already planned a downtime for next week to try the configuration.

I will post the results as soon as I try everything.

Gonzalo

argnetworking · ‎01-21-2011

Thanks for the help, everything worked the way I wanted.

Gonzalo