1. Overview
To achieve the high availability purpose of site-to-site IPSec VPN between head office and remote branch offices, we need to combine Hot Standby Router Protocol (HSRP) with IPSec protocol. VPN devices at the remote branch offices will peer with virtual IP address of HSRP in head office. So, in case that the Active HSRP router fail, standby HSRP router will take over connection of site-to-site IPSec VPN.
In this article will describes how to configure high availability site-to-Site IPSec VPN between Cisco routers in head office and Cisco router at branch office using Hot Standby Router Protocol (HSRP).
2. Prerequisites
In this tutorial, it is assumed that:
a. You already have Cisco router on GNS3 VM up and running. In case that you don’t, please follow this link. Installing GNS3 VM on VMware Workstation
b. You need to understand about encryption and authentication that happen at phase 1 and phase 2 of IPSec VPN.
c. You already understand and know how configure Hot Standby Router Protocol (HSRP) on Cisco router. Please refer to this link. Configuring HSRP on Cisco Routers
3. Lab Scenario Set up
The following network diagram of GNS3 Lab will be used to demonstrate configuring high availability IPSec VPN site-to-site with HSRP protocol between Cisco routers in head office and remote branch office.
Cisco routers with host name HQ-R01, HQ-R02, and HQ-R03 locate in head office and another Cisco router with host name BR-R01 locates in a remote branch office. The connection between HSRP routers in head office and Cisco router in remote branch office is going through DPLC link provided by an ISP. IPSec VPN tunnel is established with the virtual IP address of HSRP on the active router HQ-R02 and as soon as the active HSRP router HQ-R02 fail, the virtual IP and IPSec VPN tunnel will automatically move to standby HSRP router HQ-R03. The following is the IP configuration of each device.
On PC1
PC1> ip 10.10.10.10/24 10.10.10.1 PC1> save
On HQ-R01
# int fa0/0
ip add 10.10.10.1 255.255.255.0
no sh
# int f1/0
ip add 10.0.0.1 255.255.255.252
no sh
# int f1/1
ip add 10.0.0.5 255.255.255.252
no sh
On HQ-R02
# int fa0/0
ip add 10.0.0.2 255.255.255.252
no sh
# int f0/1
ip add 10.1.1.1 255.255.255.0
no sh
On HQ-R03
# int fa0/0
ip add 10.0.0.6 255.255.255.252
no sh
# int f0/1
ip add 10.1.1.2 255.255.255.0
no sh
On BR-R01
# int fa0/0
ip add 10.1.1.4 255.255.255.0
no sh
# int fa0/1
ip add 20.20.20.1 255.255.255.0
no sh
On PC2
PC2> ip 20.20.20.10/24 20.20.20.1 PC2> save
4. IPSec VPN Site-to-Site Form
The following is the information that IPSec VPN site-to-site will be used to in the configuration.
| Firewall Type | Head Office | Branch Office |
| Manufacturer | Cisco | Cisco |
| Model | Router | Router |
| Version | 12.4(15)T13 | 12.4(15)T13 |
| Configuration | Head Office | Branch Office | ||
| Phase 1 | ||||
| IKE Encryption Algorithm | 3DES | 3DES | ||
| IKE Hash Algorithm | SHA-1 | SHA-1 | ||
| IKE Security Lifetime | 86400 | 86400 | ||
| Diffie-Hellman Group | 2 | 2 | ||
| Pre-shared key | vpn@Ho2Bo | vpn@Ho2Bo | ||
| Phase 2 | ||||
| IPSEC security protocol | ESP | ESP | ||
| IPSEC Encryption Algorithm | 3DES | 3DES | ||
| IPSEC Hash Algorithm | MD5 | MD5 | ||
| IPSEC Security Lifetime (Optional) | □ 14400 □ 28800 (default) □ 86400 □ Other:………. | □ 14400 □ 28800 (default) □ 86400 □ Other: ………. | ||
| Perfect Forward Secrecy(PFS) (Optional) | PFS □ No □Yes | Group □ 2(default) □ 5 □ 7 | PFS □ No □ Yes | Group □ 2 (default) □ 5 □ 7 |
| IP Addressing | Head Office | Branch Office |
| Peer IP address | 10.1.1.3 | 10.1.1.4 |
| Local IP address | 10.10.10.0/24 | 20.20.20.0/24 |
5. Configuration
5.1. Configuring HSRP Protocol
We will set up the HSRP on Cisco routers, HQ-R02 and HQ-R03 in head office using HQ-R02 as the active router. The virtual IP, 10.1.1.3 will be used to as the peer IP address of IPSec VPN from branch router BR-R01. In case that HQ-R02 fails for some reason, HQ-R03 will becomes the active peer IP address automatically with less than one minute downtime.
On HQ-R02
# int fa0/1
standby 10 ip 10.1.1.3
standby 10 priority 110
standby 10 preempt
On HQ-R03
# int fa0/1
standby 10 ip 10.1.1.3
standby 10 priority 90
Now let execute following command to verify HSRP configuration and below is the out put on HQ-R02.
# sh standby bri P indicates configured to preempt. | Interface Grp Pri P State Active Standby Virtual IP Fa0/1 10 110 P Active local 10.1.1.2 10.1.1.3
We can test ping the virtual IP of the HSRP group number 10 and we should get a successful result as the following.
# ping 10.1.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
5.2. Configure OSPF and Static Routing
Apply the the following routing protocol configuration.
On HQ-R01
# router ospf 1
net 10.0.0.0 0.0.0.3 area 0
net 10.0.0.4 0.0.0.3 area 0
net 10.10.10.0 0.0.0.255 area 0
# int f1/0
ip ospf cost 1
# int f1/1
ip ospf cost 10
On HQ-R02
# router ospf 1
redistribute static subnets
net 10.1.1.0 0.0.0.255 area 0
net 10.0.0.0 0.0.0.3 area 0
# int f0/0
ip ospf cost 1
# ip route 20.20.20.0 255.255.255.0 10.1.1.4
On HQ-R03
# router ospf 1
redistribute static subnets
net 10.1.1.0 0.0.0.255 area 0
net 10.0.0.4 0.0.0.3 area 0
# int f0/0
ip ospf cost 10
# ip route 20.20.20.0 255.255.255.0 10.1.1.4
On BR-R01
# ip route 10.10.10.0 255.255.255.0 10.1.1.3
If we check the routing able on HQ-R01, we should as the following result.
# sh ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 20.0.0.0/24 is subnetted, 1 subnets O E2 20.20.20.0 [110/20] via 10.0.0.2, 00:01:13, FastEthernet1/0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 10.10.10.0/24 is directly connected, FastEthernet0/0 O 10.1.1.0/24 [110/2] via 10.0.0.2, 00:04:22, FastEthernet1/0 C 10.0.0.0/30 is directly connected, FastEthernet1/0 C 10.0.0.4/30 is directly connected, FastEthernet1/1
5.3 Set Up ISAKMP Policy
Configure IKE to negotiate an security SA (Security Association) relationship with the peer. It will encrypted communication channels between the two VPN endpoints. Apply the following command.
On HQ-R02, HQ-R03 and on BR-R01
# crypto isakmp policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 86400
5.4 Create IPSec Transform Set
Next we need to create a transform set to establishes the encryption and authentication for IPSec tunnel. Apply the follow configuration on HQ-R02 and HQ-R03 to create a transform set name “HQ-TRSET01-3DES-MD5”.
# crypto ipsec transform-set HQ-TRSET01-3DES-MD5 esp-3des esp-md5-hmac
Apply the follow configuration on BR-R01 to create a transform set name “BR-TRSET01-3DES-MD5”.
# crypto ipsec ikev1 transform-set BR-TRSET01-3DES-MD5 esp-3des esp-md5-hmac
5.5 Create ACL For VPN Tunnel
To match the traffic for IPSec VPN tunnel, an ACL must be created.
Create the following ACL on both HQ-R02 and HQ-R03.
# ip access-list extended ACL-HQ2BR
permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
Create the following ACL on BORT01.
# ip access-list extended ACL-BR2HQ
permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
5.6 Create VPN Tunnel Group
Create a tunnel group for IPSec VPN site-to-site connection. Pre-shred key authentication is to be configured here.
On HQ-R02 and HQ-R03
# crypto isakmp key vpn@Ho2Bo address 10.1.1.4
On BR-R01
# crypto isakmp key vpn@Ho2Bo address 10.1.1.3
5.7 Configure and Apply Crypto Map
Now come to the final step that we need to configure the crypto map to combine IPsec transform set, access list, and tunnel group configured in the previous steps for that specific VPN peer and apply it to the interface that connected to the internet.
The following are the commands to be executed
On HQ-R02 and HQ-R03
# crypto map HQ-VPN 1 ipsec-isakmp
set peer 10.1.1.4
set transform-set HQ-TRSET01-3DES-MD5
match address ACL-HQ2BR
reverse-route
# int fa0/1
standby 10 name HA-VPN
crypto map HQ-VPN redundancy HA-VPN
The “reverse-route” command is used to turns on the RRI feature to support high availability site-to-Site IPSec VPN. This section is the most important part of configuring high availability site-to-Site IPSec VPN. It makes HSRP to work with IPSec VPN and can switch over from one to another. We need to create a name of HSRP group and attach it into the crypto map of IPSec VPN. In our case now we created HSRP group name “HA-VPN” and attached it into IPSec VPN crypto map name “HQ-VPN”.
On BR-R01
# crypto map BR-VPN 1 ipsec-isakmp
set peer 10.1.1.3
set transform-set BR-TRSET01-3DES-MD5
match address ACL-BR2HQ
# int fa0/0
crypto map BR-VPN
5.8 Test and Verify the Configuration
To bring up the IPSec VPN site-to-site tunnel, we need to ping the IP address of the host in the remote site. Let test to ping from PC1 in head office to PC2 in remote branch office.
PC1> ping 20.20.20.10 20.20.20.10 icmp_seq=1 timeout 20.20.20.10 icmp_seq=2 timeout 20.20.20.10 icmp_seq=3 timeout 84 bytes from 20.20.20.10 icmp_seq=4 ttl=61 time=28.563 ms 84 bytes from 20.20.20.10 icmp_seq=5 ttl=61 time=24.307 ms
As we are successful to ping IP of host on the remote site, the IPSec VPN tunnel should be up and running now. We can verify it with the following command on the following devices.
On HQ-R02
# sh crypto session Crypto session current status Interface: FastEthernet0/1 Session status: UP-ACTIVE Peer: 10.1.1.4 port 500 IKE SA: local 10.1.1.3/500 remote 10.1.1.4/500 Active IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 20.20.20.0/255.255.255.0 Active SAs: 2, origin: crypto map
On HQ-R03
# sh crypto session Crypto session current status Interface: FastEthernet0/1 Session status: DOWN Peer: 10.1.1.4 port 500 IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 20.20.20.0/255.255.255.0 Active SAs: 0, origin: crypto map
On BR-R01
# sh crypto session Crypto session current statusInterface: FastEthernet0/0 Session status: UP-ACTIVE Peer: 10.1.1.3 port 500 IKE SA: local 10.1.1.4/500 remote 10.1.1.3/500 Active IPSEC FLOW: permit ip 20.20.20.0/255.255.255.0 10.10.10.0/255.255.255.0 Active SAs: 2, origin: crypto map
Now let test the case that the active HSRP router, HQ-R02 down. When the active HSRP router, HQ-R02, down if we check the routing table on on HQ-R01 we should see the following result.
# sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 20.0.0.0/24 is subnetted, 1 subnets O E2 20.20.20.0 [110/20] via 10.0.0.6, 00:00:00, FastEthernet1/1 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 10.10.10.0/24 is directly connected, FastEthernet0/0 O 10.1.1.0/24 [110/11] via 10.0.0.6, 00:00:00, FastEthernet1/1 C 10.0.0.0/30 is directly connected, FastEthernet1/0 C 10.0.0.4/30 is directly connected, FastEthernet1/1
If we ping from PC1 in head office to PC2 in remote branch office we still get the successful result.
PC1> ping 20.20.20.10 20.20.20.10 icmp_seq=1 timeout 20.20.20.10 icmp_seq=2 timeout 20.20.20.10 icmp_seq=3 timeout 84 bytes from 20.20.20.10 icmp_seq=4 ttl=61 time=39.525 ms 84 bytes from 20.20.20.10 icmp_seq=5 ttl=61 time=41.950 ms
Now let verify the VPN connection status on the following devices.
On HQ-R03, as we can see now the VPN session become active on HQ-R03 when HQ-R02 is unreachable.
# sh crypto session Crypto session current status Interface: FastEthernet0/1 Session status: UP-ACTIVE Peer: 10.1.1.4 port 500 IKE SA: local 10.1.1.3/500 remote 10.1.1.4/500 Active IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 20.20.20.0/255.255.255.0 Active SAs: 2, origin: crypto map
On BR-R01, VPN connection status in the remote branch office firewall still up and the peer IP address still keep with the virtual IP address 10.1.1.3 even thought the active HSRP router fail.
# sh crypto session Crypto session current statusInterface: FastEthernet0/0 Session status: UP-ACTIVE Peer: 10.1.1.3 port 500 IKE SA: local 10.1.1.4/500 remote 10.1.1.3/500 Active IPSEC FLOW: permit ip 20.20.20.0/255.255.255.0 10.10.10.0/255.255.255.0 Active SAs: 2, origin: crypto map
6. Conclusion
Now you should be able to configure high availability IPSec VPN site-to-site using HSRP protocol between Cisco routers in head office and remote branch office. It would be great if you could practice with GNS3 MV to verify your understanding. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.
