Hello fellow networkers,
I am in the process of setting up a site-to-site redundant VPN (failover), however I have a small issue.
Main site has 2 WAN links and remote site has only 1.
Main site has 2 routers setup in VRRP.
On R1 Main Site, VRRP tracks to see if IP address of remote site is reachable through R1 WAN interface, if it is not then it drops in priority and gives control over to R2 which has a VPN link setup with R1 Remote Site as well.
Initially the tunnel may be initiated by either site router. (R1 Main Site -> R1 Remote site; R1 Main site <- R1 Remote site).
However after a tunnel is established with Main Site R1, and Main Site R1 gets taken down, Remote Site R1 cannot re-negotiate a new tunnel with Main Site R2 until the original Main Site R1 tunnel times out (default 3600 seconds), however Main Site R2 can create a new tunnel to Remote Site R1 and communications flow freely afterwards.
R1 Main Site <-> R1 Remote site; R1 dies x-> R1 remote site ; R2 Main site <- R1 Remote site fails ; R2 Main site -> R1 Remote Site succeeds
Is there a way to force R1 Remote site to tear down the VPN tunnel previously established with R1 Main site in order to make way for R2 Main Site ? Some sort of hellos or keepalives ?
I have used "crypto isakmp keepalive 10 periodic/on-demand" but it kept tearing down a bringing back up the tunnels, when I did "show crypto isakmp sa", the "conn-id"s would just keep increassing.
I can make this work with "clear crypto session" (maybe trigger it with some sort of tracking) but it seems like a messy way of doing things, I'm looking for a proper way.
Is this normal behaviour of site-to-site VPN redundacy, am I missing something ?
I setup this question as a 2 site VPN link but it's in fact 1 hub site connecting to 2 other sites, each requiring a redundant VPN tunnel.
I am currently simulating this in GNS3 with 3745 Routers.
Here are the relevant configs, the public IP adresses are bogus
R1 Main Site
ip sla monitor 5 type echo protocol ipIcmpEcho 56.47.3.1 source-interface FastEthernet0/1 frequency 5 ip sla monitor schedule 5 life forever start-time now track 1 rtr 5 reachability ! crypto isakmp policy 1 encr 3des authentication pre-share group 5 lifetime 60 crypto isakmp key cisco address 56.47.3.1 crypto isakmp key cisco address 87.83.4.1 crypto isakmp keepalive 10 ! crypto isakmp peer address 56.47.3.1 ! crypto isakmp peer address 87.83.4.1 ! ! crypto ipsec transform-set MY_Transform_Set ah-sha-hmac esp-3des ! crypto map MAP 1 ipsec-isakmp set peer 56.47.3.1 set transform-set MY_Transform_Set match address 100 crypto map MAP 2 ipsec-isakmp set peer 87.83.4.1 set transform-set MY_Transform_Set match address 150 ! interface FastEthernet0/0 description LAN ip address 192.168.1.4 255.255.255.0 duplex auto speed auto vrrp 1 ip 192.168.1.5 vrrp 1 priority 105 vrrp 1 track 1 ! interface FastEthernet0/1 description WAN ip address 56.1.13.46 255.255.255.0 duplex auto speed auto crypto map MAP ! ip route 10.1.0.0 255.255.255.0 56.47.3.1 ip route 10.2.0.0 255.255.255.0 87.83.4.1 ! access-list 100 permit ip 192.168.1.0 0.0.0.255 10.1.0.0 0.0.0.255 access-list 150 permit ip 192.168.1.0 0.0.0.255 10.2.0.0 0.0.0.255
R2 Main Site
crypto isakmp policy 1 encr 3des authentication pre-share group 5 lifetime 60 crypto isakmp key cisco address 56.47.3.1 crypto isakmp key cisco address 87.83.4.1 crypto isakmp keepalive 10 ! crypto isakmp peer address 56.47.3.1 ! crypto isakmp peer address 87.83.4.1 ! ! crypto ipsec transform-set MY_Transform_Set ah-sha-hmac esp-3des ! crypto map MAP 1 ipsec-isakmp set peer 56.47.3.1 set transform-set MY_Transform_Set match address 100 crypto map MAP 2 ipsec-isakmp set peer 87.83.4.1 set transform-set MY_Transform_Set match address 150 ! interface FastEthernet0/0 description LAN ip address 192.168.1.3 255.255.255.0 duplex auto speed auto vrrp 1 ip 192.168.1.5 ! interface FastEthernet1/0 ip address 17.44.25.2 255.255.255.0 duplex auto speed auto crypto map MAP ! ip route 10.1.0.0 255.255.255.0 56.47.3.1 ip route 10.2.0.0 255.255.255.0 87.83.4.1 ! access-list 100 permit ip 192.168.1.0 0.0.0.255 10.1.0.0 0.0.0.255 access-list 150 permit ip 192.168.1.0 0.0.0.255 10.2.0.0 0.0.0.255
R1 Remote Site
ip sla monitor 1 type echo protocol ipIcmpEcho 56.1.13.46 source-interface FastEthernet0/1 timeout 1000 frequency 3 ip sla monitor schedule 1 life forever start-time now track 1 rtr 1 reachability ! crypto isakmp policy 1 encr 3des authentication pre-share group 5 lifetime 60 crypto isakmp key cisco address 56.1.13.46 crypto isakmp key cisco address 17.44.25.2 crypto isakmp keepalive 10 ! crypto isakmp peer address 17.44.25.2 ! crypto isakmp peer address 56.1.13.46 ! ! crypto ipsec transform-set MY_Transform_Set ah-sha-hmac esp-3des ! crypto map MAP 1 ipsec-isakmp set peer 56.1.13.46 set peer 17.44.25.2 set transform-set MY_Transform_Set match address 100 ! interface FastEthernet0/0 description LAN ip address 10.1.0.3 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 description R2 ip address 56.47.3.1 255.255.255.0 duplex auto speed auto crypto map MAP ! ip route 192.168.1.0 255.255.255.0 56.1.13.36 10 track 1 ip route 192.168.1.0 255.255.255.0 17.44.25.2 20 ! access-list 100 permit ip 10.1.0.0 0.0.0.255 192.168.1.0 0.0.0.255
What do you guys think ?
No comments:
Post a Comment