After we posted one of the articles on how to bridge VPNs, someone asked a question about how to use a VPN tunnel as a backup link; i.e., traffic goes through the VPN tunnel when the primary link goes down. The commenter did not provide a specific scenario, so what I will be doing in this series is to look at various scenarios (on different devices) and see how VPN tunnels can be used as backup connections.

The first scenario we will be considering is shown in the following diagram:

In this diagram, the LANs of Site A and Site B need to communicate. There is a private link between Site A and Site B (192.168.10.0/30) and this link should be used for traffic between the LANs as long as that link is available. If the private link goes down, a VPN tunnel should be established over the Internet between both sites and traffic should flow through that tunnel.

There are two things to think about in this scenario: routing and link tracking. On Site A, the route for Site B’s LAN should use the private link as the primary route and use the Internet link as the backup route. The same is true for Site B. There also needs to be a way for the sites to know when to failover to the backup link and this is taken care of by IP SLA tracking.

Let’s get right into the configuration. The basic configuration on the routers, excluding VPN configuration, is as follows:

hostname INTERNET
!
interface Ethernet1/0
 ip address 41.1.1.2 255.255.255.252
interface Ethernet1/1
 ip address 41.1.2.2 255.255.255.252
hostname SITE_A
!
interface Loopback0
 description ***SITE_A LAN***
 ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0/0
 description ***PRIVATE LINK WITH SITE_B***
 ip address 192.168.10.1 255.255.255.252
!
interface Ethernet1/0
 description ***INTERNET LINK***
 ip address 41.1.1.1 255.255.255.252
!
ip sla 1
 icmp-echo 192.168.10.2
 timeout 1000
 frequency 10
ip sla schedule 1 life forever start-time now
!
track 1 rtr 1 reachability
!
ip route 0.0.0.0 0.0.0.0 41.1.1.2
ip route 10.10.20.0 255.255.255.0 192.168.10.2 track 1
ip route 10.10.20.0 255.255.255.0 Ethernet1/0 41.1.2.1 10
hostname SITE_B
!
interface Loopback0
 description ***SITE_B LAN***
 ip address 10.10.20.1 255.255.255.0
!
interface FastEthernet0/0
 description ***PRIVATE LINK WITH SITE_A***
 ip address 192.168.10.2 255.255.255.252
!
interface Ethernet1/0
 description ***INTERNET LINK***
 ip address 41.1.2.1 255.255.255.252
!
ip sla 1
 icmp-echo 192.168.10.1
 timeout 1000
 frequency 10
ip sla schedule 1 life forever start-time now
!
track 1 rtr 1 reachability
!
ip route 0.0.0.0 0.0.0.0 41.1.2.2
ip route 10.10.10.0 255.255.255.0 192.168.10.1 track 1
ip route 10.10.10.0 255.255.255.0 Ethernet1/0 41.1.1.1 10

The first configuration is on the router acting as the “INTERNET.”. The configuration on the site routers contains three routes:

  1. A default route pointing to the INTERNET gateway for all internet traffic. This route will also help Site A get to the Internet IP address of Site B and vice versa.
  2. A route for the other site’s LAN subnet using the private link. This route is tracked so that it is removed when the link is faulty.
  3. A backup route for the other site’s LAN subnet using the Internet interface and Internet IP address of the other site router. Since this route has a higher administrative distance than the previous (tracked) route, it is only installed if the primary link goes down.

If the primary link is operational, we will see that link being used as the primary link to reach the other site’s LAN subnet.

We can now add our VPN configuration on the site routers. Remember that the VPN is only applied on the Internet link. There are other scenarios that may have two VPN tunnels – one primary and one backup – but that’s not the case in this article.

SITE_A

ip access-list extended LAN_A-LAN_B
 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
!
crypto isakmp key cisco address 41.1.2.1
!
crypto ipsec transform-set TRANS_SET esp-3des esp-md5-hmac
!
crypto map CRYP_MAP 10 ipsec-isakmp
 set peer 41.1.2.1
 set transform-set TRANS_SET
 match address LAN_A-LAN_B
!
interface Ethernet1/0
 crypto map CRYP_MAP

SITE_B

ip access-list extended LAN_B-LAN_A
 permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
!
crypto isakmp key cisco address 41.1.1.1
!
crypto ipsec transform-set TRANS_SET esp-3des esp-md5-hmac
!
crypto map CRYP_MAP 10 ipsec-isakmp
 set peer 41.1.1.1
 set transform-set TRANS_SET
 match address LAN_B-LAN_A
!
interface Ethernet1/0
 crypto map CRYP_MAP

Now let’s test. Since the private link is up, traffic between the LANs will flow via this link.

We can also see that there are no ISAKMP SAs.

Now, I will shut down the private link and try to connect again between the LANs.

The first set of ping traffic failed while the VPN tunnel was being set up and then the next set succeeded. Also notice that we now have an ISAKMP SA in the output above. We can also check that the traffic is indeed going through the VPN tunnel by looking at the IPsec SAs:

To complete our test, we will bring the private link back up. Traffic will stop flowing through the VPN tunnel and will start flowing again through the private link. Normal routing takes care of this.

We can confirm that traffic is not flowing through the VPN tunnel because the encrypt/decrypt counters have not incremented from when they were flowing through it.

Summary

In this article, we have seen how to use a VPN tunnel as a backup link in case the primary link fails. We used basic routing (static routes) and IP SLA tracking to achieve this.

In the next article, we will consider the same scenario but using a different type of VPN tunnel and also dynamic routing. I hope you have found this article helpful.

References and Further Reading