Configuring Failover Site-to-site VPN on Cisco Routers

1. Overview

 

It is a common scenario today that a network whether a small or an enterprise network have two IPsec site-to-site VPN tunnels with two different ISP connections for failover vpn purpose. The backup VPN tunnel will be come available when the primary VPN tunnel is down. To achieve this objective, we can use WAN redundancy links with IP SLA tracking to automatically switch over the VPN connection from one ISP to another ISP.

In this article will show how to configure failover site-to-site IPSec VPN on Cisco routers over two ISP links with IP SLA tracking to have failover VPN connections between two remote office locations.

2. Prerequisites

 

To start this configuration of how to configure failover VPN on Cisco Routers, it is supposes that:

a. You already have Cisco router on GNS3 VM up and running. In case that you don’t, please follow this link. Installing GNS3 VM on VMware Workstation

b. You need to understand about encryption and authentication that happen at phase 1 and phase 2 of IPSec VPN.

In the real word scenario, it is assumed that:

a. You had reached an agreement about configuration information to be implemented on Cisco routers in both locations. The easy way to reach this agreement is to fill in the IPSec VPN form as in this Link. IPSec VPN Site-to-Site Form
b. You have scheduled for a specific date and time to start this implementation and accepted it in both parties.

3. Lab Scenario Set up

 

To demonstrate how to configure failover VPN on Cisco Routers with IP SLA tracking the availability of WAN redundancy links, we will set up a GNS3 lab as the following diagram.

Configure FailOver Site-to-site VPN on Cisco Routers

 

There are four Cisco routers. RT-VPN01 locates in head office and RT-VPN02 locates in branch office. There are two routers act as two different internet connection for dual WAN redundancy. The following is the IP configuration of each device.

On PC1

PC1> ip 10.10.10.20/24 10.10.10.1
PC1> save

On RT-VPN01

# int f0/0 
    ip add 10.10.10.1 255.255.255.0 
    no sh 
# in f1/0
    ip add 100.100.100.1 255.255.255.252
    no sh 
# in f1/1
    ip add 200.200.200.1 255.255.255.252
    no sh

On Internet router of ISP01

#int f0/0
   ip add 100.100.100.2 255.255.255.252
   no sh
#in f0/1
   ip add 101.101.101.2 255.255.255.252
   no sh

On Internet router of ISP02

#int f0/0
    ip add 200.200.200.2 255.255.255.252 
    no sh 
#in f0/1
    ip add 201.201.201.2 255.255.255.252
    no sh 

On RT-VPN02

# int f0/0 
    ip add 20.20.20.1 255.255.255.0 
    no sh 
# in f1/0
    ip add 101.101.101.1 255.255.255.252
    no sh 
# in f1/1
    ip add 201.201.201.1 255.255.255.252
    no sh

On PC2

PC2> ip 20.20.20.30/24 20.20.20.1
PC1> save

4. IPSec VPN Site-to-Site Form

 

The following is the information that IPSec VPN site-to-site will be used to in the configuration.

Firewall Type Headquarter Branch Office
Manufacturer Cisco Cisco
Model Router Router
Version 12.4(15)T13 12.4(15)T13

 

Configuration Headquarter Branch Office
Phase 1
IKE Encryption Algorithm 3DES 3DES
IKE Hash Algorithm SHA-1 SHA-1
IKE Security Lifetime 86400 86400
Diffie-Hellman Group 2 2
Pre-shared key vpn@HQ2BR vpn@HQ2BR
Phase 2
IPSEC security protocol ESP ESP
IPSEC Encryption Algorithm 3DES 3DES
IPSEC Hash Algorithm MD5 MD5
IPSEC Security Lifetime (Optional) □ 14400 □ 28800 (default) □ 86400 □ Other:………. □ 14400 □ 28800 (default) □ 86400 □ Other: ……….
Perfect Forward Secrecy(PFS) (Optional) PFS □ No □Yes Group □ 2(default) □ 5 □ 7 PFS □ No □ Yes Group □ 2 (default) □ 5 □ 7

 

IP Addressing Headquarter Branch Office
Peer IP address 100.100.100.1, primary

200.200.200.1, secondary

101.101.101.1, primary

201.201.201.1, secondary

Local IP address 10.10.10.0/24 20.20.20.0/24

 

5. Configuration

5.1 Configure IP SLA Tracking And Default Route

 

Apply the the following IP SLA tracking and default router configuration on Cisco router with dual wan connection in head office RT-VPN01.

# ip sla 5
     icmp-echo 100.100.100.2 source-interface f1/0
     timeout 1000
     frequency 10
# ip sla schedule 5 life forever start-time now
# track 1 rtr 5 reachability

# ip route 0.0.0.0 0.0.0.0 100.100.100.2 track 1
# ip route 0.0.0.0 0.0.0.0 200.200.200.2 2

Apply the the following IP SLA tracking and default router configuration on Cisco router with dual wan connection in branch office RT-VPN02.

# ip sla 5
     icmp-echo 101.101.101.2 source-interface f1/0
     timeout 1000
     frequency 10
# ip sla schedule 5 life forever start-time now
# track 1 rtr 5 reachability

# ip route 0.0.0.0 0.0.0.0 101.101.101.2 track 1
# ip route 0.0.0.0 0.0.0.0 201.201.201.2 2

Now both RT-VPN01 and RT-VPN02 should be able to ping their public IP each other via ISP01 connection.

# sh ip route

Gateway of last resort is 100.100.100.2 to network 0.0.0.0

200.200.200.0/30 is subnetted, 1 subnets
C 200.200.200.0 is directly connected, FastEthernet1/1
 100.0.0.0/30 is subnetted, 1 subnets
C 100.100.100.0 is directly connected, FastEthernet1/0
 10.0.0.0/24 is subnetted, 1 subnets
C 10.10.10.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 100.100.100.2
# ping 101.101.101.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.101.101.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/44 ms

In case that the connection of ISP01 is unavailable, both FW-VPN01 and FW-VPN02 should be able to ping their public IP each other via ISP02 connection.

# sh ip route
Gateway of last resort is 101.101.101.2 to network 0.0.0.0

201.201.201.0/30 is subnetted, 1 subnets
C 201.201.201.0 is directly connected, FastEthernet1/1
 101.0.0.0/30 is subnetted, 1 subnets
C 101.101.101.0 is directly connected, FastEthernet1/0
 20.0.0.0/24 is subnetted, 1 subnets
C 20.20.20.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 101.101.101.2
# ping 100.100.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/25/32 ms

5.2 Set Up ISAKMP Policy

 

Configure IKE to negotiate an security SA (Security Association) relationship with the peer. It will encrypted communication channels between the two VPN endpoints. Apply the following command on both RT-VPN01 and RT-VPN02.

# crypto isakmp policy 1
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400

5.3 Create IPSec Transform Set

 

Next we need to create a transform set to establishes the encryption and authentication for IPSec tunnel. Apply the follow configuration on RT-VPN01 to create a transform set name “HQ-TS01-3DES-MD5””.

# crypto ipsec transform-set HQ-TS01-3DES-MD5 esp-3des esp-md5-hmac

Apply the follow configuration on RT-VPN02 to create a transform set name “BR-TS01-3DES-MD5”.

# crypto ipsec transform-set BR-TS01-3DES-MD5 esp-3des esp-md5-hmac

5.4 Create ACL For VPN Tunnel

 

It is time to create an ACL now to match the traffic for IPSec VPN tunnel. Based on the form above, the following is the ACL to be created on RT-VPN01.

# ip access-list extended ACL-HQ2BR
    permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255

The following is the ACL to be created on RT-VPN02.

# ip access-list extended ACL-BR2HQ
   permit ip 20.20.20.0 0.0.0.2 10.10.10.0 0.0.0.255

5.5 Create VPN Tunnel Group

 

Now create a tunnel group for IPSec VPN site-to-site connection. Pre-shred key authentication is to be configured here. Apply the following tunnel group configuration on RT-VPN01.

# crypto isakmp key 0 vpn@HQ2BR address 101.101.101.1
# crypto isakmp key 0 vpn@HQ2BR address 201.201.201.1

Apply the following tunnel group configuration on RT-VPN02.

# crypto isakmp key 0 vpn@HQ2BR address 100.100.100.1
# crypto isakmp key 0 vpn@HQ2BR address 200.200.200.1

5.6 Configure and Apply Crypto Map

 

The final step is to configure the crypto map to combine IPsec transform set, access list, and tunnel group configured in the previous steps for that specific VPN peer and apply it to the interface “fa1/0” and “fa1/1” of each Cisco router.
The following are the commands to be executed on RT-VPN01.

# crypto map HQ-VPN01 1 ipsec-isakmp
    set peer 101.101.101.1
    set transform-set HQ-TS01-3DES-MD5
    match address ACL-HQ2BR
# int f1/0 
   crypto map HQ-VPN01

# crypto map HQ-VPN02 1 ipsec-isakmp
   set peer 201.201.201.1
   set transform-set HQ-TS01-3DES-MD5
   match address ACL-HQ2BR
# int f1/1
    crypto map HQ-VPN02

The following are the commands to be executed on RT-VPN02.

# crypto map BR-VPN01 1 ipsec-isakmp
   set peer 100.100.100.1
   set transform-set BR-TS01-3DES-MD5
   match address ACL-BR2HQ
# int f1/0
    crypto map BR-VPN01 

# crypto map BR-VPN02 1 ipsec-isakmp
   set peer 200.200.200.1
   set transform-set BR-TS01-3DES-MD5
   match address ACL-BR2HQ
# int f1/1
    crypto map BR-VPN02

5.7 Test and Verify the Configuration

 

To bring up the IPSec VPN site-to-site tunnel, we need to ping the IP address of the host in the remote site. Let test to ping from PC1 in head office to PC2 in branch office.

PC1> ping 20.20.20.30
20.20.20.30 icmp_seq=1 timeout
20.20.20.30 icmp_seq=2 timeout
20.20.20.30 icmp_seq=3 timeout
84 bytes from 20.20.20.30 icmp_seq=4 ttl=62 time=53.202 ms
84 bytes from 20.20.20.30 icmp_seq=5 ttl=62 time=44.163 ms

As we are successful to ping IP of host on the remote site, the IPSec VPN tunnel should be up and running now. We can verify it with the following command on FW-VPN01.

# sh crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
F - IKE Fragmentation

Interface: FastEthernet1/0
Uptime: 00:00:57
Session status: UP-ACTIVE
Peer: 101.101.101.1 port 500 fvrf: (none) ivrf: (none)
 Phase1_id: 101.101.101.1
 Desc: (none)
 IKE SA: local 100.100.100.1/500 remote 101.101.101.1/500 Active
 Capabilities:(none) connid:1001 lifetime:23:50:48
 IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 20.20.20.0/255.255.255.0
 Active SAs: 2, origin: crypto map
 Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 4604448/3542
 Outbound: #pkts enc'ed 4 drop 16 life (KB/Sec) 4604448/3542

Interface: FastEthernet1/1
Session status: DOWN
Peer: 201.201.201.1 port 500 fvrf: (none) ivrf: (none)
 Desc: (none)
 Phase1_id: (none)
 IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 20.20.20.0/255.255.255.0
 Active SAs: 0, origin: crypto map
 Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
 Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

And with the following command on RT-VPN02.

# sh crypto session detail

We can test disconnect the ISP01 and we still can ping to the local IP of branch office.

PC1> ping 20.20.20.30
20.20.20.30 icmp_seq=1 timeout
20.20.20.30 icmp_seq=2 timeout
20.20.20.30 icmp_seq=3 timeout
84 bytes from 20.20.20.30 icmp_seq=4 ttl=62 time=39.976 ms
84 bytes from 20.20.20.30 icmp_seq=5 ttl=62 time=39.225 ms
# sh crypto session detail

6. Conclusion

 

Now you should be able to configure failover VPN on Cisco Routers with dual WAN connection and IP SLA on Cisco Routers. It is recommended that you try it by your own self using GNS3 MV to verify your understanding. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.

Comments

comments