Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2422
Views
0
Helpful
6
Replies

Redundant Hub and Spoke IPsec VPN Configuration

bhunsaker_2
Level 1
Level 1

‎07-30-2010 04:30 PM - edited ‎02-21-2020 04:46 PM

I would like to encrypt traffic between a central hub and remote sites.  Each location has redundant routers where we use VRRP for redundancy.

Here's the config:

         ------------------------             ------------------------

        |ASR 1002                |           |ASR 1002                |

        |hostname: router100a    |           |hostname: router100b    |

        |interface Gi0/0/0       |   Hub     |interface Gi0/0/0       |

        | ip address 10.0.0.1/24 |   Site    | ip address 10.0.0.2/24 |

        | vrrp ip 10.0.0.254/24  |           | vrrp ip 10.0.0.254/24  |

         --------------------|---             ---|--------------------

                             |                   |

         --------------------|-------------------|-------------------------

        |                                                                  |

         ------------|----|-----------|-|-------------------------|----|---

                     |     \          | |                         |     \

         Site #1     |      \         | |        Site #3          |      \

--------------------|---    \        | |     --------------------|---    \

|Cisco 3845              |    |       | |    |Cisco 3845              |    |

|hostname: router101a    |    |       | |    |hostname: router103a    |    |

|interface Gi0/0/0       |    |       | |    |interface Gi0/0/0       |    |

| ip address 10.0.1.1/24 |    |       | |    | ip address 10.0.3.1/24 |    |

| vrrp ip 10.0.1.254/24  |    |       | |    | vrrp ip 10.0.3.254/24  |    |

------------------------     |       | |     ------------------------     |

          --------------------|---    | |              --------------------|---

         |Cisco 3845              |   | |             |Cisco 3845              |

         |hostname: router101b    |   | |             |hostname: router103b    |

         |interface Gi0/0/0       |   | |             |interface Gi0/0/0       |

         | ip address 10.0.1.2/24 |   |  \            | ip address 10.0.3.2/24 |

         | vrrp ip 10.0.1.254/24  |   |   \           | vrrp ip 10.0.3.254/24  |

          ------------------------    |    \           ------------------------

                                      |     \

                     Site #2          |      \

                  --------------------|---    \

                 |Cisco 3845              |    |

                 |hostname: router102a    |    |

                 |interface Gi0/0/0       |    |

                 | ip address 10.0.2.1/24 |    |

                 | vrrp ip 10.0.2.254/24  |    |

                  ------------------------     |

                           --------------------|---

                          |Cisco 3845              |

                          |hostname: router102b    |

                          |interface Gi0/0/0       |

                          | ip address 10.0.2.2/24 |

                          | vrrp ip 10.0.2.254/24  |

                           ------------------------

As I looked into implementing IPsec VPNs on the ASR 1002 units at the hub, it appears that I need to create a logical interface for each remote site since only one "cryto map" statement is allowed per interface.  Is this the case?

Currently we have VRRP configured on the physical interface.  If logical interfaces are required at the hub, do we need to configure VRRP on each logical interface as well?

Some other questions:

  • Are there any examples of configuring IPsec tunnels with redundancy provided via VRRP?
  • Do the tunnel end-points fail over well or will there need to be a phase 1/phase 2 negotiation again?
  • Are there any better options?

Thanks!

Labels:
0 Helpful
6 Replies 6

manish arora
Level 6
Level 6

‎07-30-2010 05:32 PM

I have no answer to your questions but i want to be on this mailling list, as i have a similar project coming up so i can also see what the Experts comment on it.

Manish

0 Helpful

cciesec2011
Level 3
Level 3

‎07-30-2010 05:33 PM

Are you doing this over the Internet or over an MPLS network?

If you're going to do it over the Internet, DMVPN with getVPN is the way to go since all of your equipments are cisco,

If you're going to do it over an MPLS network, then getVPN is good enough.

0 Helpful

bhunsaker_2
Level 1
Level 1
In response to cciesec2011

‎07-31-2010 06:37 PM 

cciesec2011 wrote:
Are you doing this over the Internet or over an MPLS network?
If you're going to do it over the Internet, DMVPN with getVPN is the way to go since all of your equipments are cisco,
If you're going to do it over an MPLS network, then getVPN is good enough.

My particular case is a campus network where we have run single-mode fiber between buildings,

So no Internet, no MPLS, just simple old fashioned static routes on a private network.

I was not aware of DMVPN so I will look at this.  On the other hand, I was hoping to just define static routes and avoid the use of EIGRP or OSPF.

Thanks.

P.S.  My ASCII network layout looks awful although I thought I had specified a fixed-width font.  Anyone who is interested should just paste the diagram into an ASCII editor to see it better.

0 Helpful

rahgovin
Level 4
Level 4
In response to bhunsaker_2

‎08-01-2010 05:25 AM

If its an internal network, you can use GETVPN to set up Ipsec between the branches. This will use native routing( for your case static routes).

The deployment guide is given below:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/deployment_guide_c07_554713.html

Please check the supported platforms for Key server( device that pushes ipsec policies to members) and Group members( devices actually taking part in encryption domain) as I believe Key server is not supported on an ASR.

0 Helpful

bhunsaker_2
Level 1
Level 1
In response to rahgovin

‎08-02-2010 08:58 AM 

rahgovin wrote:
Please check the supported platforms for Key server( device that pushes ipsec policies to members) and Group members( devices actually taking part in encryption domain) as I believe Key server is not supported on an ASR.

Thanks for suggesting GETVPN.  There is a lot to like about it but, as you noted, the ASR 1000 series isn't a supported key server.  I don't have any other devices at the hub to take on this role.  Would it make sense to buy a pair of cheap 870s and configure them as cooperative (redundant) key servers?  In this case could the GETVPN be configured to route everything through the much more powerful ASR 1002s leaving the 870s to do nothing by rekey and hand out policies?

I thought that maybe the 3845s at the "spoke" end-points could be key servers, but a key server can't be a group member.  I don't understand why a key server can't be a group member as well.

0 Helpful

rahgovin
Level 4
Level 4
In response to bhunsaker_2

‎08-02-2010 09:07 AM

yes you can have other routers doing the actual key server role as you rightly pointed out, they only have to hand out policies and rekey. The only ting is they have to support Key server functionality. The ASR can be used as the group-member.

And I believe right now they don't have the functionality for keysever and group-member in the same IOS, but I believe it might turn up soon on newer codes. But just to let you know, it is on the roadmap

0 Helpful
Customers Also Viewed These Support Documents