HA for IPSec VPN using IP SLA

HA for IPSec VPN using IP SLA

Network Topology:

High-availability for IPSec VPN can also be provided using IP SLA object tracking. Here, the remote site R4 router first attempts to set up an IPSec tunnel with R1 router at the Central Site. When the path to reach R1 router is unreachable, R4 router deletes IPSec SA for R1 router and tries to negotiate an IPSec tunnel through backup path via R2 router.

All the traffic for the network behind R3 router sourced from the network behind R4 router and vice versa will be encrypted by IPSec.

Dynamic crypto-map configuration on R1 & R2

crypto isakmp policy 10

 encryption des

 authentication pre-share

 hash md5

 group 2

crypto isakmp key 0 MY_K3Y address 0.0.0.0

crypto ipsec transform-set TS esp-des esp-md5-hmac

crypto dynamic-map DM 10

 set transform-set TS

 match address Traffic_to_remote

 reverse-route

ip access-list extended Traffic_to_remote

 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

crypto map STATIC 10 ipsec-isakmp dynamic DM

interface Serial 0/0

 crypto map STATIC

Static crypto-map configuration on R4

crypto isakmp policy 10

 encryption des

 authentication pre-share

 hash md5

 group 2

crypto isakmp key 0 MY_K3Y address 10.1.1.1

crypto isakmp key 0 MY_K3Y address 10.1.1.5

crypto ipsec transform-set TS esp-des esp-md5-hmac

crypto map PRIMARY 10 ipsec-isakmp

 set peer 10.1.1.1

 set transform-set TS

 match address Traffic_to_central

crypto map BACKUP 10 ipsec-isakmp

 set peer 10.1.1.5

 set transform-set TS

 match address Traffic_to_central

ip access-list extended Traffic_to_central

 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

interface serial 0/0

 crypto map PRIMARY

interface serial 0/1

 crypto map BACKUP

Cisco IOS IP SLA:

Cisco IOS IP SLA is an active network performance measurement and diagnostic tool that uses active monitoring, which includes the generation of traffic in continuous, reliable and predictable manner. It actively sends data across the network to measure performance between multiple network locations or across multiple network paths. It uses the timestamp information to calculate performance metrics such as jitter, latency, network and server response times, packet loss, MOS (Mean Opinion Score) voice quality scores.

A destination router running Cisco IOS is configured to function as an IP SLA Responder, which processes measurement packets and provide detailed timestamp information.

R1 & R2 IP SLA Responders

R1 router:

ip sla responder

R2 router:

ip sla responder

IP SLA configuration on R4

ip sla 1

 icmp-echo 10.1.1.1

  timeout 1000

  frequency 3

  threshold 2

ip sla schedule 1 life forever start-time now

track 10 rtr 1 reachability

! Tagging the static route with the tracking object 10 and adjusting the AD of the floating static route to a higher value

ip route 0.0.0.0 0.0.0.0 172.16.1.1 track 10

ip route 0.0.0.0 0.0.0.0 172.16.1.5 254

The static route is available only if the status of tracking object is UP.

IP SLA Statistics and Tracking output

R4# show ip sla statistics

Round Trip Time (RTT) for       Index 1

        Latest RTT: 4 milliseconds

Latest operation start time: *02:13:11.671 UTC Fri Mar 1 2002

Latest operation return code: Over threshold

Number of successes: 486

Number of failures: 0

Operation time to live: Forever

R4# show track

Track 10

  Response Time Reporter 1 reachability

  Reachability is Up

    1 change, last change 00:23:48

  Latest operation return code: Over threshold

  Latest RTT (millisecs) 60

  Tracked by:

    STATIC-IP-ROUTING 0

When traffic is sent from R4 router's Loopback 0 interface (192.168.2.1) to R1 router's Loopback 0 (192.168.1.1), R4 negotiates IPSec tunnel with R1 router. Due to RRI, R1 creates a static route for 192.168.2.0/24 network with next-hop as tunnel remote endpoint 172.16.1.2. This static route is redistributed into RIP with a metric of 2 using redistribute static metric 2 command under RIP router configuration mode.

Before Failover: Routing table output

R4# show ip route static

S*   0.0.0.0/0 [1/0] via 172.16.1.1

R1# show ip route static

S    192.168.2.0/24 [1/0] via 172.16.1.2

R2# show ip route static

R2#

R3# show ip route rip

     172.16.0.0/30 is subnetted, 2 subnets

R       172.16.1.4 [120/10] via 10.2.2.2, 00:00:04, FastEthernet0/0

R       172.16.1.0 [120/10] via 10.2.2.1, 00:00:27, FastEthernet0/0

     10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

R       10.1.1.0/30 [120/1] via 10.2.2.1, 00:00:27, FastEthernet0/0

R       10.1.1.4/30 [120/1] via 10.2.2.2, 00:00:04, FastEthernet0/0

R    192.168.2.0/24 [120/3] via 10.2.2.1, 00:00:27, FastEthernet0/0

During a continuous Ping to remote end, interface Fastethernet 0/0 (10.2.2.1) is shutdown which causes the track status to go down, essentially, causing the static route to fail. So, the floating static route becomes active. Since Serial 0/1 on R4 router is configured with a BACKUP static crypto-map and since the interesting traffic is identified, R4 router negotiates backup IPSec tunnel with R2 router (10.1.1.5). Once the negotiation is successful, an IPSec tunnel is configured and traffic is sent encrypted over the tunnel through R2 router to 192.168.1.0 network.

Ping output on R4

Type escape sequence to abort.

Sending 1500, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.2.1

..!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!.

*Mar  1 02:33:52.183: %TRACKING-5-STATE: 10 rtr 1 reachability Up->Down..!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!

Success rate is 98 percent (298/303), round-trip min/avg/max = 4/108/404 ms

After Failover: Routing table output

R4# show ip route static

S*   0.0.0.0/0 [254/0] via 172.16.1.5

R2# show ip route static

S    192.168.2.0/24 [1/0] via 172.16.1.6

R3# show ip route rip

     172.16.0.0/30 is subnetted, 2 subnets

R       172.16.1.4 [120/10] via 10.2.2.2, 00:00:13, FastEthernet0/0

R       172.16.1.0/30 is possibly down,

          routing via 10.2.2.1, FastEthernet0/0

     10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

R       10.1.1.0/30 is possibly down,

          routing via 10.2.2.1, FastEthernet0/0

R       10.1.1.4/30 [120/1] via 10.2.2.2, 00:00:13, FastEthernet0/0

R    192.168.2.0/24 [120/1] via 10.2.2.2, 00:00:13, FastEthernet0/0

ISAKMP output on R4

R4# show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

10.1.1.1        172.16.1.2      QM_IDLE           1005    0 ACTIVE

10.1.1.5        172.16.1.6      QM_IDLE           1006    0 ACTIVE

IPv6 Crypto ISAKMP SA

As seen above, the failover is very quick and this solution provides high-availability (HA) with great results.