techspacekh June 15, 2018

1. Overview

 

To achieve the high availability purpose of site-to-site IPSec VPN between head office and remote branch offices, we need to combine Virtual Router Redundancy Protocol (VRRP) with IPSec protocol. VPN devices at the remote branch offices will peer with virtual IP address of VRRP in head office. So, in case that the Active VRRP router fail, standby VRRP router will take over connection of site-to-site IPSec VPN.

In this article will describes how to configure high availability site-to-Site IPSec VPN between Huawei routers in head office and Huawei router at branch office using Virtual Router Redundancy Protocol (VRRP).

2. Prerequisites

 

In this tutorial, it is assumed that:

a. You already have Huawei router on eNSP up and running. In case that you don’t, please follow this link. Huawei Network Device Simulation With eNSP
b. You need to understand about encryption and authentication that happen at phase 1 and phase 2 of IPSec VPN.

c. You already understand and know how configure Virtual Router Redundancy Protocol (VRRP) on Huawei router. Please refer to this link. Configuring VRRP on Huawei Routers

3. Lab Scenario Set up

 

The following network diagram of eNSP Lab will be used to demonstrate configuring high availability IPSec VPN site-to-site with VRRP protocol between Huawei routers in head office and remote branch office.

Huawei routers with host name HQ-R01, HQ-R02, and HQ-R03 locate in head office and another Huawei router with host name BR-R01 locates in a remote branch office. The connection between VRRP routers in head office and Huawei router in remote branch office is going through DPLC link provided by an ISP. IPSec VPN tunnel is established with the virtual IP address of VRRP on the active router HQ-R02 and as soon as the active VRRP router HQ-R02 fail, the virtual IP and IPSec VPN tunnel will automatically move to standby VRRP router HQ-R03. The following is the IP configuration of each device.

On PC1

• IP Address: 10.10.10.10/24
• Gateway: 10.10.10.1

On HQ-R01

# int g0/0/2
     ip add 10.10.10.1 24
# int g0/0/0
     ip add 10.0.0.1 24
# int g0/0/1 
     ip add 10.0.0.5 24

On HQ-R02

# int g0/0/0
      ip add 10.0.0.2 24
# int g0/0/1
     ip add 10.1.1.1 24

On HQ-R03

# int g0/0/0
      ip add 10.0.0.6 24
# int g0/0/1
      ip add 10.1.1.2 24

On BR-R01

# int g0/0/0
      ip add 10.1.1.4 24
# int g0/0/1
      ip add 20.20.20.1 24

On PC2

• IP Address: 20.20.20.10/24
• Gateway: 20.20.20.1

4. IPSec VPN Site-to-Site Form

 

The following is the information that IPSec VPN site-to-site will be used to in the configuration.

Firewall Type	Head Office	Branch Office
Manufacturer	Huawei	Huawei
Model	Router	Router
Version	V200R003C00	V200R003C00

 

Configuration	Head Office		Branch Office
Phase 1
IKE Encryption Algorithm	3DES		3DES
IKE Hash Algorithm	SHA-1		SHA-1
IKE Security Lifetime	86400		86400
Diffie-Hellman Group	2		2
Pre-shared key	vpn@Ho2Bo		vpn@Ho2Bo
Phase 2
IPSEC security protocol	ESP		ESP
IPSEC Encryption Algorithm	3DES		3DES
IPSEC Hash Algorithm	MD5		MD5
IPSEC Security Lifetime (Optional)	□ 14400 □ 28800 (default) □ 86400 □ Other:……….		□ 14400 □ 28800 (default) □ 86400 □ Other: ……….
Perfect Forward Secrecy(PFS) (Optional)	PFS □ No □Yes	Group □ 2(default) □ 5 □ 7	PFS □ No □ Yes	Group □ 2 (default) □ 5 □ 7

 

IP Addressing	Head Office	Branch Office
Peer IP address	10.1.1.3	10.1.1.4
Local IP address	10.10.10.0/24	20.20.20.0/24

5. Configuration

5.1. Configuring VRRP Protocol

 

We will set up the VRRP on Huawei routers, HQ-R02 and HQ-R03 in head office using HQ-R02 as the active router. The virtual IP, 10.1.1.3 will be used to as the peer IP address of IPSec VPN from branch router BR-R01. In case that HQ-R02 fails for some reason, HQ-R03 will becomes the active peer IP address automatically with less than one minute downtime.

On HQ-R02

] int g0/0/1
      ip address 10.1.1.1 24
      vrrp vrid 10 virtual-ip 10.1.1.3
      vrrp vrid 10 priority 120
      vrrp vrid 10 preempt-mode timer delay 20

On HQ-R03

] int g0/0/1
      ip address 10.0.0.2 24
      vrrp vrid 10 virtual-ip 10.0.0.3
      vrrp vrid 10 priority 90

Now let execute following command to verify VRRP configuration and below is the out put on HQ-R02.

] dis vrrp bri
Total:1 Master:1 Backup:0 Non-active:0 
VRID State Interface Type Virtual IP 
----------------------------------------------------------------
10 Master GE0/0/1 Normal 10.1.1.3

We can test ping the virtual IP of the HSRP group number 10 and we should get a successful result as the following.

] ping 10.1.1.3
 PING 10.1.1.3: 56 data bytes, press CTRL_C to break
 Reply from 10.1.1.3: bytes=56 Sequence=1 ttl=255 time=60 ms
 Reply from 10.1.1.3: bytes=56 Sequence=2 ttl=255 time=50 ms
 Reply from 10.1.1.3: bytes=56 Sequence=3 ttl=255 time=40 ms
 Reply from 10.1.1.3: bytes=56 Sequence=4 ttl=255 time=40 ms
 Reply from 10.1.1.3: bytes=56 Sequence=5 ttl=255 time=60 ms

--- 10.1.1.3 ping statistics ---
 5 packet(s) transmitted
 5 packet(s) received
 0.00% packet loss
 round-trip min/avg/max = 40/50/60 ms

5.2. Configure OSPF and Static Routing

 

Apply the the following routing protocol configuration.

On HQ-R01

] ospf 10 
     area 0
          net 10.0.0.0 0.0.0.3 
          net 10.0.0.4 0.0.0.3 
          net 10.10.10.0 0.0.0.255 

] int g0/0/0
     ospf cost 1
] int g0/0/1 
     ospf cost 10

On HQ-R02

] ospf 10 
     import-route static
     area 0 
        net 10.0.0.0 0.0.0.3 
        net 10.1.1.0 0.0.0.255 

] int g0/0/0
      ospf cost 1

] ip route-static 20.20.20.0 255.255.255.0 10.1.1.4

On HQ-R03

] ospf 10 
      import-route static
      area 0 
        net 10.0.0.4 0.0.0.3 
        net 10.1.1.0 0.0.0.255

] int g0/0/0
     ospf cost 10

] ip route-static 20.20.20.0 255.255.255.0 10.1.1.4

On BR-R01

] ip route-static 10.10.10.0 255.255.255.0 10.1.1.3

If we check the routing able on HQ-R01, we should as the following result.

] dis ip routing-table | e Direct
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
 Destinations : 16 Routes : 16

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.1.1.0/24 OSPF 10 2 D 10.0.0.2 GigabitEthernet0/0/0
10.1.1.3/32 OSPF 10 2 D 10.0.0.2 GigabitEthernet0/0/0
20.20.20.0/24 O_ASE 150 1 D 10.0.0.2 GigabitEthernet0/0/0

5.3 Set Up ISAKMP Policy

 

Configure IKE to negotiate an security SA (Security Association) relationship with the peer. It will encrypted communication channels between the two VPN endpoints. Apply the following command.

On HQ-R02, HQ-R03 and on BR-R01

] ike proposal 1
     authentication-algorithm sha1
     encryption-algorithm 3des-cbc
     dh group2
     sa duration 86400

5.4 Create IPSec Transform Set

 

Next we need to create a transform set to establishes the encryption and authentication for IPSec tunnel. Apply the follow configuration on HQ-R02, HQ-R03, and BR-R01 to create a transform set name “PS01-3DES-SHA”.

 ] ipsec proposal PS01-3DES-SHA
       encapsulation-mode tunnel
       transform esp
       esp authentication-algorithm sha1
       esp encryption-algorithm 3des

5.5 Create ACL For VPN Tunnel

 

To match the traffic for IPSec VPN tunnel, an ACL must be created.

Create the following ACL on both HQ-R02 and HQ-R03.

] acl 3000
      rule 10 permit ip source 10.10.10.0 0.0.0.255 destination 20.20.20.0 0.0.0.255

Create the following ACL on BORT01.

] acl 3000
      rule 10 permit ip source 20.20.20.0 0.0.0.255 destination 10.10.10.0 0.0.0.255

5.6 Create VPN Tunnel Group

 

Create a tunnel group for IPSec VPN site-to-site connection. Pre-shred key authentication is to be configured here.

On HQ-R02 and HQ-R03

] ike peer 10.1.1.4 V1
      pre-shared-key cipher vpn@HQ2BR
      local-address 10.1.1.3
      remote-address 10.1.1.4
      ike-proposal 1

On BR-R01

] ike peer 10.1.1.3 V1
     pre-shared-key cipher vpn@HQ2BR
     remote-address 10.1.1.3
     ike-proposal 1

5.7 Configure and Apply Crypto Map

 

Now come to the final step that we need to configure the crypto map to combine IPsec transform set, access list, and tunnel group configured in the previous steps for that specific VPN peer and apply it to the interface that connected to the internet.

The following are the commands to be executed

On HQ-R02 and HQ-R03

] ipsec policy POLICY1 10 isakmp
      proposal PS01-3DES-SHA
      security acl 3000
      ike-peer 10.1.1.4

] int G0/0/1
      ipsec policy POLICY1

On BR-R01

] ipsec policy POLICY1 10 isakmp
      proposal PS01-3DES-SHA
      security acl 3000
      ike-peer 10.1.1.3

] int G0/0/0
      ipsec policy POLICY1

5.8 Test and Verify the Configuration

 

To bring up the IPSec VPN site-to-site tunnel, we need to ping the IP address of the host in the remote site. Let test to ping from PC1 in head office to PC2 in remote branch office.

C>ping 20.20.20.10

Ping 20.20.20.10: 32 data bytes, Press Ctrl_C to break
From 20.20.20.10: bytes=32 seq=1 ttl=126 time=62 ms
From 20.20.20.10: bytes=32 seq=2 ttl=126 time=47 ms
From 20.20.20.10: bytes=32 seq=3 ttl=126 time=47 ms
From 20.20.20.10: bytes=32 seq=4 ttl=126 time=47 ms
From 20.20.20.10: bytes=32 seq=5 ttl=126 time=47 ms

--- 20.20.20.10 ping statistics ---
 5 packet(s) transmitted
 5 packet(s) received
 0.00% packet loss
 round-trip min/avg/max = 47/50/62 ms

 

As we are successful to ping IP of host on the remote site, the IPSec VPN tunnel should be up and running now. We can verify it with the following command on the following devices.

On HQ-R02

] dis ipsec sa

===============================
Interface: GigabitEthernet0/0/1
 Path MTU: 1500
===============================

-----------------------------
 IPSec policy name: "POLICY1"
 Sequence number : 10
 Acl Group : 3000
 Acl rule : 10
 Mode : ISAKMP
 -----------------------------
 Connection ID : 5
 Encapsulation mode: Tunnel
 Tunnel local : 10.1.1.3
 Tunnel remote : 10.1.1.4
 Flow source : 10.10.10.0/255.255.255.0 0/0
 Flow destination : 20.20.20.0/255.255.255.0 0/0
 Qos pre-classify : Disable

[Outbound ESP SAs] 
 SPI: 4035017842 (0xf0817c72)
 Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
 SA remaining key duration (bytes/sec): 1857285120/1457
 Max sent sequence-number: 1963
 UDP encapsulation used for NAT traversal: N

[Inbound ESP SAs] 
 SPI: 2199367495 (0x8317af47)
 Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
 SA remaining key duration (bytes/sec): 1887320100/1457
 Max received sequence-number: 1945
 Anti-replay window size: 32
 UDP encapsulation used for NAT traversal: N

On HQ-R03

> dis ipsec sa
 No Security Associations established.

On BR-R01

] dis ipsec sa

===============================
Interface: GigabitEthernet0/0/0
 Path MTU: 1500
===============================

-----------------------------
 IPSec policy name: "POLICY1"
 Sequence number : 10
 Acl Group : 3000
 Acl rule : 10
 Mode : ISAKMP
 -----------------------------
 Connection ID : 37
 Encapsulation mode: Tunnel
 Tunnel local : 10.1.1.4
 Tunnel remote : 10.1.1.3
 Flow source : 20.20.20.0/255.255.255.0 0/0
 Flow destination : 10.10.10.0/255.255.255.0 0/0
 Qos pre-classify : Disable

[Outbound ESP SAs] 
 SPI: 2199367495 (0x8317af47)
 Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
 SA remaining key duration (bytes/sec): 1857561600/1374
 Max sent sequence-number: 1945
 UDP encapsulation used for NAT traversal: N

[Inbound ESP SAs] 
 SPI: 4035017842 (0xf0817c72)
 Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
 SA remaining key duration (bytes/sec): 1887319020/1374
 Max received sequence-number: 1963
 Anti-replay window size: 32
 UDP encapsulation used for NAT traversal: N

Now let test the case that the active VRRP router, HQ-R02 down. When the active VRRP router, HQ-R02, down if we check the routing table on on HQ-R01 we should see the following result.

] dis ip routing-table | e Direct
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
 Destinations : 14 Routes : 14

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.0.0.0/30 OSPF 10 12 D 10.0.0.6 GigabitEthernet0/0/1
10.1.1.0/24 OSPF 10 11 D 10.0.0.6 GigabitEthernet0/0/1
10.1.1.3/32 OSPF 10 11 D 10.0.0.6 GigabitEthernet0/0/1
20.20.20.0/24 O_ASE 150 1 D 10.0.0.6 GigabitEthernet0/0/1

If we ping from PC1 in head office to PC2 in remote branch office we still get the successful result.

PC>ping 20.20.20.10

Ping 20.20.20.10: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 20.20.20.10: bytes=32 seq=2 ttl=126 time=63 ms
From 20.20.20.10: bytes=32 seq=3 ttl=126 time=62 ms
From 20.20.20.10: bytes=32 seq=4 ttl=126 time=63 ms
From 20.20.20.10: bytes=32 seq=5 ttl=126 time=62 ms

--- 20.20.20.10 ping statistics ---
 5 packet(s) transmitted
 4 packet(s) received
 20.00% packet loss
 round-trip min/avg/max = 0/62/63 ms

 

Now let verify the VPN connection status on the following devices.

On HQ-R03, as we can see now the VPN session become active on HQ-R03 when HQ-R02 is unreachable.

] dis ipsec sa

===============================
Interface: GigabitEthernet0/0/0
 Path MTU: 1500
===============================

-----------------------------
 IPSec policy name: "POLICY1"
 Sequence number : 10
 Acl Group : 3000
 Acl rule : 10
 Mode : ISAKMP
 -----------------------------
 Connection ID : 39
 Encapsulation mode: Tunnel
 Tunnel local : 10.1.1.4
 Tunnel remote : 10.1.1.3
 Flow source : 20.20.20.0/255.255.255.0 0/0
 Flow destination : 10.10.10.0/255.255.255.0 0/0
 Qos pre-classify : Disable

[Outbound ESP SAs] 
 SPI: 3458669772 (0xce271ccc)
 Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
 SA remaining key duration (bytes/sec): 1887375360/3516
 Max sent sequence-number: 4
 UDP encapsulation used for NAT traversal: N

[Inbound ESP SAs] 
 SPI: 1856179096 (0x6ea30b98)
 Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
 SA remaining key duration (bytes/sec): 1887436500/3516
 Max received sequence-number: 5
 Anti-replay window size: 32
 UDP encapsulation used for NAT traversal: N

On BR-R01, VPN connection status in the remote branch office firewall still up and the peer IP address still keep with the virtual IP address 10.1.1.3 even thought the active VRRP router fail.

] dis ipsec sa

===============================
Interface: GigabitEthernet0/0/0
 Path MTU: 1500
===============================

-----------------------------
 IPSec policy name: "POLICY1"
 Sequence number : 10
 Acl Group : 3000
 Acl rule : 10
 Mode : ISAKMP
 -----------------------------
 Connection ID : 39
 Encapsulation mode: Tunnel
 Tunnel local : 10.1.1.4
 Tunnel remote : 10.1.1.3
 Flow source : 20.20.20.0/255.255.255.0 0/0
 Flow destination : 10.10.10.0/255.255.255.0 0/0
 Qos pre-classify : Disable

[Outbound ESP SAs] 
 SPI: 3458669772 (0xce271ccc)
 Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
 SA remaining key duration (bytes/sec): 1887375360/3469
 Max sent sequence-number: 4
 UDP encapsulation used for NAT traversal: N

[Inbound ESP SAs] 
 SPI: 1856179096 (0x6ea30b98)
 Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
 SA remaining key duration (bytes/sec): 1887436500/3469
 Max received sequence-number: 5
 Anti-replay window size: 32
 UDP encapsulation used for NAT traversal: N

 

6. Conclusion

 

Now you should be able to configure high availability IPSec VPN site-to-site using VRRP protocol between Huawei routers in head office and remote branch office. It would be great if you could practice with eNSP to verify your understanding. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.

Comments

comments