ipsec + load balancing

harizanovg · ‎08-02-2004

Hi everyone,

I have the followin setup:

active

HSRP -|--2600-------T1-------2600--|- -active HSRP

e| |e

t| |t

h| |h

HSRP -|--2600-------T1-------2600--|- -backup HSRP

backup

The 4 routers are running 12.2(24a). The ethernet and T1 interfaces are configured for per packet load sharing with CEF. HSRP is running on the ethernet interfaces.

EIGRP is the routing protocol and is configured for load balancing.

All works well untill IPsec is introduced ...

When I configure IPsec over the T1 on the backup HSRP pair things are still normal..

BTW.. the EIGRP traffic is not being encrypted..so all EIRGP routing works well with or without encryption.

When I congigure IPsec over the T1 on the active HSRP pair then all traffic is going over that T1 only.. no load balancing..

Anybody else had similar experience?

Again, encryption is configured on the serial interfaces only.. the ethernet interfaces have HSRP but no encryption..

Thanks,

-GH

harizanovg · ‎08-02-2004

Attached is a file where the diagram is clearer..

Sorry about the above one..

vcjones · ‎08-02-2004

Sounds like you forgot to weight the IPSec routes to have the same metric as your EIGRP routes (I suspect you are overriding the EIGRP routes, which don't know IPSec from a hole in the ground, with static routes). You can see this if you do a "show ip route xxx" where xxx is a destination on the far side which should be load balanced.

Fixing the problem is a little tricky, because your static routes won't respond to many modes of IPSec tunnel failure, leaving you with a black hole.

But that begs the question of why bother with IPSec when going accross a private T1 line (which this must be in order to support EIGRP neighboring). If you can't trust the T1 to carry data in the clear, how can you trust what you learn from EIGRP which is easily spoofed unless you've configured strong authentication.

Assuming you do have a need for IPSec and for load balancing, my recommendation (subject to revision based on more info about your specific needs) would be to use BGP between the routers, setting up EBGP relations between the routers on each end of each IPSec tunnel and IBGP between the two routers at each end. Then use GLBP (or split HSRP/VRRP) to load share across the two routers from the LAN.

If you really need per packet load balancing, you could set up IPSec tunnels across both T1's for each router, but that makes the configuration at least twice as complex, and that much more prone to mistakes which could affect your availability.

Whatever approach you choose, remember:

availability <> load balancing <> cost/complexity

you only get to choose two out of three.

Good luck and have fun!

Vincent C Jones

www.networkingunlimited.com

harizanovg · ‎08-02-2004

Vincent,

Thanks for the suggestions.

What do you refer to when you say IPsec routes?

All routes are derived by EIGRP and there are multiple routes for same destination at each router, which sets the condition for load balancing..

There are no static routes..

The problem appears to be an issue between "ip load-sharing per-packet" command and crypto map command being on the same interface. Check out "CSCeb03516"

Suggestion by cisco is to have GRE tunnel with "ip load-sharing per-packet" on the tunnel and physical interface and crypto map on the physical only..

I still have to try it, but you are right.. it complicates the setup..

So, the problem is not with the routing, but with the switching (cef).. I haven't tried but it's possible that ip load-sharing per-destination might be OK.. the only problem there is uneven load distribution..

Thanks again.

vcjones · ‎08-02-2004

My mistake. I interpreted your problem to be a problem with routing packets through the IPSec tunnels rather than a failure of packets which are unrelated to the IPSec traffic. On the other hand, you have verified your maps to ensure that only traffic which should go through the IPSec tunnels is detected as IPSec traffic.

Good luck and have fun!

Vincent C Jones

www.networkingunlimited.com