techspacekh June 7, 2018

1. Overview

 

To achieve the high availability purpose of site-to-site IPSec VPN between head office and remote branch offices, we need to combine Hot Standby Router Protocol (HSRP) with IPSec protocol. VPN devices at the remote branch offices will peer with virtual IP address of HSRP in head office. So, in case that the Active HSRP router fail, standby HSRP router will take over connection of site-to-site IPSec VPN.

In this document will describes how to configure high availability site-to-Site IPSec VPN between Cisco routers in head office and Cisco ASA firewall at branch office using Hot Standby Router Protocol (HSRP).

2. Prerequisites

 

In this tutorial, it is assumed that:

a. You already have Cisco ASAv on GNS3 VM up and running. In case that you don’t, please follow this link. Configuring Cisco ASAv QCOW2 with GNS3 VM
b. You need to understand about encryption and authentication that happen at phase 1 and phase 2 of IPSec VPN.

c. You already understand and know how configure Hot Standby Router Protocol (HSRP) on Cisco router. Please refer to this link. Configuring HSRP on Cisco Routers

3. Lab Scenario Set up

 

The following network diagram of GNS3 Lab will be used to demonstrate configuring high availability IPSec VPN site-to-site with HSRP protocol between Cisco routers and Cisco ASA firewall with IOS version 9.x.

Cisco routers with host name HQ-R01, HQ-R02, and HQ-R03 locate in head office and Cisco ASA firewall appliances with host name BR-F01 locates in a remote branch office. The connection between HSRP routers in head office and Cisco ASA firewall in remote branch office is going through DPLC link provided by an ISP. IPSec VPN tunnel is established with the virtual IP address of HSRP on the active router HQ-R02 and as soon as the active HSRP router HQ-R02 fail, the virtual IP and IPSec VPN tunnel will automatically move to standby HSRP router HQ-R03. The following is the IP configuration of each device.

On PC1

PC1> ip 10.10.10.10/24 10.10.10.1
PC1> save

On HQ-R01

# int fa0/0
     ip add 10.10.10.1 255.255.255.0
     no sh
# int f1/0
     ip add 10.0.0.1 255.255.255.252
     no sh
# int f1/1 
     ip add 10.0.0.5 255.255.255.252
     no sh

On HQ-R02

# int fa0/0
      ip add 10.0.0.2 255.255.255.252
      no sh
# int f0/1
     ip add 10.1.1.1 255.255.255.0
     no sh

On HQ-R03

# int fa0/0
      ip add 10.0.0.6 255.255.255.252
      no sh
# int f0/1
      ip add 10.1.1.2 255.255.255.0
      no sh

On BR-F01

# int g0/0
     no sh
     ip add 10.1.1.4 255.255.255.0
     security-level 0
     nameif outside
# int g0/1
     no sh
     ip add 20.20.20.1 255.255.255.0
     security-level 100
     nameif inside
 
# policy-map global_policy
     class inspection_default
        inspect icmp
        inspect icmp error

On PC2

PC2> ip 20.20.20.10/24 20.20.20.1
PC2> save

4. IPSec VPN Site-to-Site Form

 

The following is the information that IPSec VPN site-to-site will be used to in the configuration.

Firewall Type	Head Office	Branch Office
Manufacturer	Cisco	Cisco
Model	Router	ASA 5555-X
Version	12.4(15)T13	9.4

 

Configuration	Head Office		Branch Office
Phase 1
IKE Encryption Algorithm	3DES		3DES
IKE Hash Algorithm	SHA-1		SHA-1
IKE Security Lifetime	86400		86400
Diffie-Hellman Group	2		2
Pre-shared key	vpn@Ho2Bo		vpn@Ho2Bo
Phase 2
IPSEC security protocol	ESP		ESP
IPSEC Encryption Algorithm	3DES		3DES
IPSEC Hash Algorithm	MD5		MD5
IPSEC Security Lifetime (Optional)	□ 14400 □ 28800 (default) □ 86400 □ Other:……….		□ 14400 □ 28800 (default) □ 86400 □ Other: ……….
Perfect Forward Secrecy(PFS) (Optional)	PFS □ No □Yes	Group □ 2(default) □ 5 □ 7	PFS □ No □ Yes	Group □ 2 (default) □ 5 □ 7

 

IP Addressing	Head Office	Branch Office
Peer IP address	10.1.1.3	10.1.1.4
Local IP address	10.10.10.0/24	20.20.20.0/24

5. Configuration

5.1. Configuring HSRP Protocol

 

We will set up the HSRP on Cisco routers, HQ-R02 and HQ-R03 in head office using HQ-R02 as the active router. The virtual IP, 10.1.1.3 will be used to as the peer IP address of IPSec VPN from branch firewall BR-F01. In case that HQ-R02 fails for some reason, HQ-R03 will becomes the active peer IP address automatically with less than one minute downtime.

On HQ-R02

# int fa0/1
     standby 10 ip 10.1.1.3
     standby 10 priority 110
     standby 10 preempt

On HQ-R03

# int fa0/1
     standby 10 ip 10.1.1.3
     standby 10 priority 90

Now let execute following command to verify HSRP configuration and below is the out put on HQ-R01.

# sh standby bri
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Fa0/1       10   110 P Active  local           10.1.1.2        10.1.1.3

We can test ping the virtual IP of the HSRP group number 10 and we should get a successful result as the following.

# ping 10.1.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

5.2. Configure OSPF and Static Routing

 

Apply the the following routing protocol configuration.

On HQ-R01

# router ospf 1
      net 10.0.0.0 0.0.0.3 area 0
      net 10.0.0.4 0.0.0.3 area 0
      net 10.10.10.0 0.0.0.255 area 0

# int f1/0
     ip ospf cost 1
# int f1/1 
     ip ospf cost 10

On HQ-R02

# router ospf 1
      redistribute static subnets
      net 10.1.1.0 0.0.0.255 area 0
      net 10.0.0.0 0.0.0.3 area 0

# int f0/0
  ip ospf cost 1

# ip route 20.20.20.0 255.255.255.0 10.1.1.4

On HQ-R03

# router ospf 1
      redistribute static subnets
      net 10.1.1.0 0.0.0.255 area 0
      net 10.0.0.4 0.0.0.3 area 0

# int f0/0
  ip ospf cost 10

# ip route 20.20.20.0 255.255.255.0 10.1.1.4

On BR-F01

# route outside 10.10.10.0 255.255.255.0 10.1.1.3

If we check the routing able on HQ-R01, we should as the following result.

# sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

20.0.0.0/24 is subnetted, 1 subnets
O E2 20.20.20.0 [110/20] via 10.0.0.2, 00:01:13, FastEthernet1/0
 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.10.10.0/24 is directly connected, FastEthernet0/0
O 10.1.1.0/24 [110/2] via 10.0.0.2, 00:04:22, FastEthernet1/0
C 10.0.0.0/30 is directly connected, FastEthernet1/0
C 10.0.0.4/30 is directly connected, FastEthernet1/1

5.3 Set Up ISAKMP Policy

 

Configure IKE to negotiate an security SA (Security Association) relationship with the peer. It will encrypted communication channels between the two VPN endpoints. Apply the following command.

On HQ-R02 and on HQ-R03

# crypto isakmp policy 1
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400

On BR-F01

# crypto ikev1 policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400

 

5.4 Create IPSec Transform Set

 

Next we need to create a transform set to establishes the encryption and authentication for IPSec tunnel. Apply the follow configuration on HQ-R02 and HQ-R03 to create a transform set name “HQ-TRSET01-3DES-MD5”.

# crypto ipsec transform-set HQ-TRSET01-3DES-MD5 esp-3des esp-md5-hmac

Apply the follow configuration on BR-F01 to create a transform set name “BR-TRSET01-3DES-MD5”.

# crypto ipsec ikev1 transform-set BR-TRSET01-3DES-MD5 esp-3des esp-md5-hmac

5.5 Create ACL For VPN Tunnel

 

To match the traffic for IPSec VPN tunnel, an ACL must be created.

Create the following ACL on both HQ-R02 and HQ-R03.

# ip access-list extended ACL-HQ2BR
      permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255

Create the following ACL on BORT01.

# object-group network HQ-Network
      network-object 10.10.10.0 255.255.255.0
# object-group network BR-Network
      network-object 20.20.20.0 255.255.255.0
# access-list ACL-BR2HQ extended permit ip object-group BR-Network object-group HQ-Network

5.6 Create VPN Tunnel Group

 

Create a tunnel group for IPSec VPN site-to-site connection. Pre-shred key authentication is to be configured here.

On HQ-R02 and HQ-R03

# crypto isakmp key vpn@Ho2Bo address 10.1.1.4

On BR-F01

# tunnel-group 10.1.1.3 type ipsec-l2l
# tunnel-group 10.1.1.3 ipsec-attributes
      ikev1 pre-shared-key vpn@Ho2Bo

5.7 Configure and Apply Crypto Map

 

Now come to the final step that we need to configure the crypto map to combine IPsec transform set, access list, and tunnel group configured in the previous steps for that specific VPN peer and apply it to the interface that connected to the internet.

The following are the commands to be executed

On HQ-R02 and HQ-R03

# crypto map HQ-VPN 1 ipsec-isakmp
     set peer 10.1.1.4
     set transform-set HQ-TRSET01-3DES-MD5
     match address ACL-HQ2BR
     reverse-route
# int fa0/1
     standby 10 name HA-VPN
     crypto map HQ-VPN redundancy HA-VPN

The “reverse-route” command is used to turns on the RRI feature to support high availability site-to-Site IPSec VPN. This section is the most important part of configuring high availability site-to-Site IPSec VPN. It makes HSRP to work with IPSec VPN and can switch over from one to another. We need to create a name of HSRP group and attach it into the crypto map of IPSec VPN. In our case now we created HSRP group name “HA-VPN” and attached it into IPSec VPN crypto map name “HQ-VPN”.

On BR-F01

# crypto map BR-VPN 1 match address ACL-BR2HQ 
# crypto map BR-VPN 1 set peer 10.1.1.3 
# crypto map BR-VPN 1 set ikev1 transform-set BR-TRSET01-3DES-MD5 
# crypto map BR-VPN interface outside 
# crypto ikev1 enable outside

5.8 Test and Verify the Configuration

 

To bring up the IPSec VPN site-to-site tunnel, we need to ping the IP address of the host in the remote site. Let test to ping from PC1 in head office to PC2 in remote branch office.

PC1> ping 20.20.20.10
20.20.20.10 icmp_seq=1 timeout
20.20.20.10 icmp_seq=2 timeout
20.20.20.10 icmp_seq=3 timeout
84 bytes from 20.20.20.10 icmp_seq=4 ttl=61 time=28.563 ms
84 bytes from 20.20.20.10 icmp_seq=5 ttl=61 time=24.307 ms

 

As we are successful to ping IP of host on the remote site, the IPSec VPN tunnel should be up and running now. We can verify it with the following command on the following devices.

On HQ-R02

# sh crypto session
Crypto session current status

Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 10.1.1.4 port 500
 IKE SA: local 10.1.1.3/500 remote 10.1.1.4/500 Active
 IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 20.20.20.0/255.255.255.0
 Active SAs: 2, origin: crypto map

On HQ-R03

# sh crypto session
Crypto session current status

Interface: FastEthernet0/1
Session status: DOWN
Peer: 10.1.1.4 port 500
 IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 20.20.20.0/255.255.255.0
 Active SAs: 0, origin: crypto map

On BR-F01

# sh vpn-sessiondb detail l2l filter ipaddress 10.1.1.3

Session Type: LAN-to-LAN Detailed

Connection : 10.1.1.3
Index : 1 IP Addr : 10.1.1.3
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)3DES IPsec: (1)3DES
Hashing : IKEv1: (1)SHA1 IPsec: (1)MD5
Bytes Tx : 252 Bytes Rx : 336
Login Time : 16:46:40 UTC Thu Jun 7 2018
Duration : 0h:03m:56s

IKEv1 Tunnels: 1
IPsec Tunnels: 1

IKEv1:
 Tunnel ID : 1.1
 UDP Src Port : 500 UDP Dst Port : 500
 IKE Neg Mode : Main Auth Mode : preSharedKeys
 Encryption : 3DES Hashing : SHA1
 Rekey Int (T): 86400 Seconds Rekey Left(T): 86164 Seconds
 D/H Group : 2
 Filter Name :

IPsec:
 Tunnel ID : 1.2
 Local Addr : 20.20.20.0/255.255.255.0/0/0
 Remote Addr : 10.10.10.0/255.255.255.0/0/0
 Encryption : 3DES Hashing : MD5
 Encapsulation: Tunnel
 Rekey Int (T): 3600 Seconds Rekey Left(T): 3364 Seconds
 Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes
 Idle Time Out: 30 Minutes Idle TO Left : 26 Minutes
 Bytes Tx : 252 Bytes Rx : 336
 Pkts Tx : 3 Pkts Rx : 4

Now let test the case that the active HSRP router, HQ-R02 down. When the active HSRP router, HQ-R02, down if we check the routing table on on HQ-R01 we should see the following result.

# sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

20.0.0.0/24 is subnetted, 1 subnets
O E2 20.20.20.0 [110/20] via 10.0.0.6, 00:00:00, FastEthernet1/1
 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.10.10.0/24 is directly connected, FastEthernet0/0
O 10.1.1.0/24 [110/11] via 10.0.0.6, 00:00:00, FastEthernet1/1
C 10.0.0.0/30 is directly connected, FastEthernet1/0
C 10.0.0.4/30 is directly connected, FastEthernet1/1

If we ping from PC1 in head office to PC2 in remote branch office we still get the successful result.

PC1> ping 20.20.20.10
20.20.20.10 icmp_seq=1 timeout
20.20.20.10 icmp_seq=2 timeout
20.20.20.10 icmp_seq=3 timeout
84 bytes from 20.20.20.10 icmp_seq=4 ttl=61 time=39.525 ms
84 bytes from 20.20.20.10 icmp_seq=5 ttl=61 time=41.950 ms

Now let verify the VPN connection status on the following devices.

On HQ-R03, as we can see now the VPN session become active on HQ-R03 when HQ-R02 is unreachable.

# sh crypto session
Crypto session current status

Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 10.1.1.4 port 500
 IKE SA: local 10.1.1.3/500 remote 10.1.1.4/500 Active
 IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 20.20.20.0/255.255.255.0
 Active SAs: 2, origin: crypto map

On BR-F01, VPN connection status in the remote branch office firewall still up and the peer IP address still keep with the virtual IP address 10.1.1.3 even thought the active HSRP router fail.

# sh vpn-sessiondb detail l2l filter ipaddress 10.1.1.3

Session Type: LAN-to-LAN Detailed

Connection : 10.1.1.3
Index : 2 IP Addr : 10.1.1.3
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)3DES IPsec: (1)3DES
Hashing : IKEv1: (1)SHA1 IPsec: (1)MD5
Bytes Tx : 252 Bytes Rx : 336
Login Time : 16:56:04 UTC Thu Jun 7 2018
Duration : 0h:04m:32s

IKEv1 Tunnels: 1
IPsec Tunnels: 1

IKEv1:
 Tunnel ID : 2.1
 UDP Src Port : 500 UDP Dst Port : 500
 IKE Neg Mode : Main Auth Mode : preSharedKeys
 Encryption : 3DES Hashing : SHA1
 Rekey Int (T): 86400 Seconds Rekey Left(T): 86129 Seconds
 D/H Group : 2
 Filter Name :

IPsec:
 Tunnel ID : 2.2
 Local Addr : 20.20.20.0/255.255.255.0/0/0
 Remote Addr : 10.10.10.0/255.255.255.0/0/0
 Encryption : 3DES Hashing : MD5
 Encapsulation: Tunnel
 Rekey Int (T): 3600 Seconds Rekey Left(T): 3329 Seconds
 Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes
 Idle Time Out: 30 Minutes Idle TO Left : 25 Minutes
 Bytes Tx : 252 Bytes Rx : 336
 Pkts Tx : 3 Pkts Rx : 4

 

6. Conclusion

 

Now you should be able to configure high availability IPSec VPN site-to-site using HSRP protocol between Cisco routers and Cisco ASA firewall appliance with IOS version 9.x. It would be great if you could practice with GNS3 MV to verify your understanding. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.

Comments

comments