IPSEC and High Availability

Hi IPexpert blog followers,

Today I am going to teach you about IPSEC and the different levels of High Availability.  When you set up an IPSEC tunnel there is no redundancy at all.

This article will only explain the high level concepts, and what the elements are what you should know about the specific method used.

This article is the first one in a multi-series article range that will explain the different methods in detail on a method by method weekly base.

Site-to-Site VPN without Redundancy

Within the scenario you will find in the network diagram below you will find no redundancy at all.  This type of design introduces a lot of so called single point of failures.

As you can see there are 5 single point of failures:

• The WAN Router of site A
• The WAN Router of site B
• The WAN facing interface of site A
• The WAN facing interface of site B
• random router(s) that is used within the WAN (core)

If there is a failure on 1 of the mentioned items this will result in a failure of the IPSec VPN tunnel.

Dual-WAN Interface Redundancy

When we add another WAN link which will cost more money, we can reduce the single points of failure with 3.  Because we are adding an extra link we have the redundancy we want on the WAN core but also on the WAN interfaces.

What important here is that the ISP will use two completely different paths within the core to route the traffic.

As you can see there are only 2 single point of failures left:

• The WAN Router of site A
• The WAN Router of site B

WAN Gateway, Interface, and Carrier Redundancy

We can eliminate the 2 single point of failures that are left with adding extra WAN links with separate routers.  The best way would be to mind as well add a second ISP to the party.

As you can see on the picture below we did that and we have eliminated all the single point of failures.

This solution will eliminate all of the single points of failures we discussed.  But, however, this is a more costly solution this is still not the best…and I think you already feel this coming…but there is more to come.

There is something about all of the network topologies that where just explained, can you discover what it is?  Well the network topologies that where just discussed still have a single point of failure.

This is on the tunnel termination point itself.  I know but this is even going to cost more money in terms of designing, implementation and ISP services.

We can also use 3 different topologies where we design High Availability for the termination points as well.

Tunnel Termination on Highly Available Interfaces

We can create High availability on the tunnel termination endpoint itself by adding an extra Fastethernet interface towards the second WAN routers.

When we use a loopback interface as the source/destination of the VPN tunnel we eliminate the need of using a real physical interface so if 1 of the physical interfaces towards the WAN routers goes down we still don’t have a problem.

This looks like:

Tunnel Termination Point HA Using HSRP Virtual Interfaces

When a loopback interface is used as termination point for the IPSec tunnel there is still a point where things can go wrong.  Yes I know you are wondering … is this guy ever going to stop ;-)

Well the answers is NO! Not yet!

Remember that the following addition(s) in terms to get a perfect High Availability solution will cost more and more money as it develops.

We can use a HSRP/VRRP (virtual) IP address as the termination point for the IPSec VPN tunnel.

In the diagram below this is shown how.

Well after adding in a extra LAN router and at the same time an extra Tunnel End Termination Point we still improve this design to make it more reliable and improve the level of High Availability.

Geographic IPSec HA Using Multiple Peering Statements in Each Crypto Map on IPSec_1A, 2A, 1B, and 2B

Well don’t worry we still need to go to 3 options that are based on the same principals.  The scenario we just discussed can only work if the IPSEC routers are in the same wiring closet.

So the High Availability is made possible by the Layer 2 that resides on the sites LAN segment.

But this is not going to work if the IPSec termination points are in different wiring closets and we cannot use HSRP /VRRP.

We are forced to create multiple Peering Statements between the WAN endpoints.

Keep in mind that I said WAN endpoints and not LAN endpoints.

Loopback-to-Loopback IPSec Peering Sessions with Redundant Peer Statements

We can take this a step further by setting up the IPSec endpoints towards the LAN endpoints.  The most logical choice would be to use loopback interfaces, but in this case we can also use the physical interfaces.

RP-Based HA between IPSec Tunnel Termination Points

Within the design that is described below will use dual uplinks towards the same ISP.  This will upgrade the High Availability to another level. Yes again a much higher one.

You know why? Well because of the expansion of the Layer 3 paths.

We are not using dedicated WAN links with different ISP’s but we are using the same ISP with dual uplinks.

Note that we can also use this same design as shown below in combination with Loopback interfaces and we can also do this with different ISP’s but then again you will ending up paying more money.

As I explained before how higher the level of High Availability, how more you have to spend and not only in terms of hardware and ISP cost but also in terms of designing configuring and testing.

So I understand that everything is becoming a little weird and harder to understand as the High Availibillity options are getting more complex … but don’t worry.  All of these examples will be explained in future IPexpert BLOG articles with full configlets and full .net files to test this within the virtual Dynamips environment.

So this is just the intro for so much more to come!

Regards,

Iwan Hoogendoorn

CCIE #13084 (R&S / Security / SP)

Sr. Support Engineer - IPexpert, Inc.

URL: http://www.IPexpert.com

Tags: High Availability, IPSEC, Security