1. Overview
It is a common scenario today that a network whether a small or an enterprise network have two IPsec site-to-site VPN tunnels with two different ISP connections for failover vpn purpose. The backup VPN tunnel will be come available when the primary VPN tunnel is down. To achieve this objective, we can use WAN redundancy links with IP SLA tracking to automatically switch over the VPN connection from one ISP to another ISP.
In this article will show how to configure failover site-to-site IPSec VPN on Cisco routers over two ISP links with IP SLA tracking to have failover VPN connections between two remote office locations.
2. Prerequisites
To start this configuration of how to configure failover VPN on Cisco Routers, it is supposes that:
a. You already have Cisco router on GNS3 VM up and running. In case that you don’t, please follow this link. Installing GNS3 VM on VMware Workstation
b. You need to understand about encryption and authentication that happen at phase 1 and phase 2 of IPSec VPN.
In the real word scenario, it is assumed that:
a. You had reached an agreement about configuration information to be implemented on Cisco routers in both locations. The easy way to reach this agreement is to fill in the IPSec VPN form as in this Link. IPSec VPN Site-to-Site Form
b. You have scheduled for a specific date and time to start this implementation and accepted it in both parties.
3. Lab Scenario Set up
To demonstrate how to configure failover VPN on Cisco Routers with IP SLA tracking the availability of WAN redundancy links, we will set up a GNS3 lab as the following diagram.
There are four Cisco routers. RT-VPN01 locates in head office and RT-VPN02 locates in branch office. There are two routers act as two different internet connection for dual WAN redundancy. The following is the IP configuration of each device.
On PC1
PC1> ip 10.10.10.20/24 10.10.10.1 PC1> save
On RT-VPN01
# int f0/0 ip add 10.10.10.1 255.255.255.0 no sh # in f1/0 ip add 100.100.100.1 255.255.255.252 no sh # in f1/1 ip add 200.200.200.1 255.255.255.252 no sh
On Internet router of ISP01
#int f0/0 ip add 100.100.100.2 255.255.255.252 no sh #in f0/1 ip add 101.101.101.2 255.255.255.252 no sh
On Internet router of ISP02
#int f0/0 ip add 200.200.200.2 255.255.255.252 no sh #in f0/1 ip add 201.201.201.2 255.255.255.252 no sh
On RT-VPN02
# int f0/0 ip add 20.20.20.1 255.255.255.0 no sh # in f1/0 ip add 101.101.101.1 255.255.255.252 no sh # in f1/1 ip add 201.201.201.1 255.255.255.252 no sh
On PC2
PC2> ip 20.20.20.30/24 20.20.20.1 PC1> save
4. IPSec VPN Site-to-Site Form
The following is the information that IPSec VPN site-to-site will be used to in the configuration.
Firewall Type | Headquarter | Branch Office |
Manufacturer | Cisco | Cisco |
Model | Router | Router |
Version | 12.4(15)T13 | 12.4(15)T13 |
Configuration | Headquarter | Branch Office | ||
Phase 1 | ||||
IKE Encryption Algorithm | 3DES | 3DES | ||
IKE Hash Algorithm | SHA-1 | SHA-1 | ||
IKE Security Lifetime | 86400 | 86400 | ||
Diffie-Hellman Group | 2 | 2 | ||
Pre-shared key | vpn@HQ2BR | vpn@HQ2BR | ||
Phase 2 | ||||
IPSEC security protocol | ESP | ESP | ||
IPSEC Encryption Algorithm | 3DES | 3DES | ||
IPSEC Hash Algorithm | MD5 | MD5 | ||
IPSEC Security Lifetime (Optional) | □ 14400 □ 28800 (default) □ 86400 □ Other:………. | □ 14400 □ 28800 (default) □ 86400 □ Other: ………. | ||
Perfect Forward Secrecy(PFS) (Optional) | PFS □ No □Yes | Group □ 2(default) □ 5 □ 7 | PFS □ No □ Yes | Group □ 2 (default) □ 5 □ 7 |
IP Addressing | Headquarter | Branch Office |
Peer IP address | 100.100.100.1, primary
200.200.200.1, secondary |
101.101.101.1, primary
201.201.201.1, secondary |
Local IP address | 10.10.10.0/24 | 20.20.20.0/24 |
5. Configuration
5.1 Configure IP SLA Tracking And Default Route
Apply the the following IP SLA tracking and default router configuration on Cisco router with dual wan connection in head office RT-VPN01.
# ip sla 5 icmp-echo 100.100.100.2 source-interface f1/0 timeout 1000 frequency 10 # ip sla schedule 5 life forever start-time now # track 1 rtr 5 reachability # ip route 0.0.0.0 0.0.0.0 100.100.100.2 track 1 # ip route 0.0.0.0 0.0.0.0 200.200.200.2 2
Apply the the following IP SLA tracking and default router configuration on Cisco router with dual wan connection in branch office RT-VPN02.
# ip sla 5 icmp-echo 101.101.101.2 source-interface f1/0 timeout 1000 frequency 10 # ip sla schedule 5 life forever start-time now # track 1 rtr 5 reachability # ip route 0.0.0.0 0.0.0.0 101.101.101.2 track 1 # ip route 0.0.0.0 0.0.0.0 201.201.201.2 2
Now both RT-VPN01 and RT-VPN02 should be able to ping their public IP each other via ISP01 connection.
# sh ip route Gateway of last resort is 100.100.100.2 to network 0.0.0.0 200.200.200.0/30 is subnetted, 1 subnets C 200.200.200.0 is directly connected, FastEthernet1/1 100.0.0.0/30 is subnetted, 1 subnets C 100.100.100.0 is directly connected, FastEthernet1/0 10.0.0.0/24 is subnetted, 1 subnets C 10.10.10.0 is directly connected, FastEthernet0/0 S* 0.0.0.0/0 [1/0] via 100.100.100.2# ping 101.101.101.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 101.101.101.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/44 ms
In case that the connection of ISP01 is unavailable, both FW-VPN01 and FW-VPN02 should be able to ping their public IP each other via ISP02 connection.
# sh ip routeGateway of last resort is 101.101.101.2 to network 0.0.0.0 201.201.201.0/30 is subnetted, 1 subnets C 201.201.201.0 is directly connected, FastEthernet1/1 101.0.0.0/30 is subnetted, 1 subnets C 101.101.101.0 is directly connected, FastEthernet1/0 20.0.0.0/24 is subnetted, 1 subnets C 20.20.20.0 is directly connected, FastEthernet0/0 S* 0.0.0.0/0 [1/0] via 101.101.101.2# ping 100.100.100.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 100.100.100.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/25/32 ms
5.2 Set Up ISAKMP Policy
Configure IKE to negotiate an security SA (Security Association) relationship with the peer. It will encrypted communication channels between the two VPN endpoints. Apply the following command on both RT-VPN01 and RT-VPN02.
# crypto isakmp policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 86400
5.3 Create IPSec Transform Set
Next we need to create a transform set to establishes the encryption and authentication for IPSec tunnel. Apply the follow configuration on RT-VPN01 to create a transform set name “HQ-TS01-3DES-MD5””.
# crypto ipsec transform-set HQ-TS01-3DES-MD5 esp-3des esp-md5-hmac
Apply the follow configuration on RT-VPN02 to create a transform set name “BR-TS01-3DES-MD5”.
# crypto ipsec transform-set BR-TS01-3DES-MD5 esp-3des esp-md5-hmac
5.4 Create ACL For VPN Tunnel
It is time to create an ACL now to match the traffic for IPSec VPN tunnel. Based on the form above, the following is the ACL to be created on RT-VPN01.
# ip access-list extended ACL-HQ2BR permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
The following is the ACL to be created on RT-VPN02.
# ip access-list extended ACL-BR2HQ permit ip 20.20.20.0 0.0.0.2 10.10.10.0 0.0.0.255
5.5 Create VPN Tunnel Group
Now create a tunnel group for IPSec VPN site-to-site connection. Pre-shred key authentication is to be configured here. Apply the following tunnel group configuration on RT-VPN01.
# crypto isakmp key 0 vpn@HQ2BR address 101.101.101.1 # crypto isakmp key 0 vpn@HQ2BR address 201.201.201.1
Apply the following tunnel group configuration on RT-VPN02.
# crypto isakmp key 0 vpn@HQ2BR address 100.100.100.1 # crypto isakmp key 0 vpn@HQ2BR address 200.200.200.1
5.6 Configure and Apply Crypto Map
The final step is to configure the crypto map to combine IPsec transform set, access list, and tunnel group configured in the previous steps for that specific VPN peer and apply it to the interface “fa1/0” and “fa1/1” of each Cisco router.
The following are the commands to be executed on RT-VPN01.
# crypto map HQ-VPN01 1 ipsec-isakmp set peer 101.101.101.1 set transform-set HQ-TS01-3DES-MD5 match address ACL-HQ2BR # int f1/0 crypto map HQ-VPN01 # crypto map HQ-VPN02 1 ipsec-isakmp set peer 201.201.201.1 set transform-set HQ-TS01-3DES-MD5 match address ACL-HQ2BR # int f1/1 crypto map HQ-VPN02
The following are the commands to be executed on RT-VPN02.
# crypto map BR-VPN01 1 ipsec-isakmp set peer 100.100.100.1 set transform-set BR-TS01-3DES-MD5 match address ACL-BR2HQ # int f1/0 crypto map BR-VPN01 # crypto map BR-VPN02 1 ipsec-isakmp set peer 200.200.200.1 set transform-set BR-TS01-3DES-MD5 match address ACL-BR2HQ # int f1/1 crypto map BR-VPN02
5.7 Test and Verify the Configuration
To bring up the IPSec VPN site-to-site tunnel, we need to ping the IP address of the host in the remote site. Let test to ping from PC1 in head office to PC2 in branch office.
PC1> ping 20.20.20.30 20.20.20.30 icmp_seq=1 timeout 20.20.20.30 icmp_seq=2 timeout 20.20.20.30 icmp_seq=3 timeout 84 bytes from 20.20.20.30 icmp_seq=4 ttl=62 time=53.202 ms 84 bytes from 20.20.20.30 icmp_seq=5 ttl=62 time=44.163 ms
As we are successful to ping IP of host on the remote site, the IPSec VPN tunnel should be up and running now. We can verify it with the following command on FW-VPN01.
# sh crypto session detail Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication F - IKE Fragmentation Interface: FastEthernet1/0 Uptime: 00:00:57 Session status: UP-ACTIVE Peer: 101.101.101.1 port 500 fvrf: (none) ivrf: (none) Phase1_id: 101.101.101.1 Desc: (none) IKE SA: local 100.100.100.1/500 remote 101.101.101.1/500 Active Capabilities:(none) connid:1001 lifetime:23:50:48 IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 20.20.20.0/255.255.255.0 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 4604448/3542 Outbound: #pkts enc'ed 4 drop 16 life (KB/Sec) 4604448/3542 Interface: FastEthernet1/1 Session status: DOWN Peer: 201.201.201.1 port 500 fvrf: (none) ivrf: (none) Desc: (none) Phase1_id: (none) IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 20.20.20.0/255.255.255.0 Active SAs: 0, origin: crypto map Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0 Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
And with the following command on RT-VPN02.
# sh crypto session detail
We can test disconnect the ISP01 and we still can ping to the local IP of branch office.
PC1> ping 20.20.20.30 20.20.20.30 icmp_seq=1 timeout 20.20.20.30 icmp_seq=2 timeout 20.20.20.30 icmp_seq=3 timeout 84 bytes from 20.20.20.30 icmp_seq=4 ttl=62 time=39.976 ms 84 bytes from 20.20.20.30 icmp_seq=5 ttl=62 time=39.225 ms# sh crypto session detail
6. Conclusion
Now you should be able to configure failover VPN on Cisco Routers with dual WAN connection and IP SLA on Cisco Routers. It is recommended that you try it by your own self using GNS3 MV to verify your understanding. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.