After we posted one of the articles on how to bridge VPNs, someone asked a question about how to use a VPN tunnel as a backup link; i.e., traffic goes through the VPN tunnel when the primary link goes down. The commenter did not provide a specific scenario, so what I will be doing in this series is to look at various scenarios (on different devices) and see how VPN tunnels can be used as backup connections.
The first scenario we will be considering is shown in the following diagram:
In this diagram, the LANs of Site A and Site B need to communicate. There is a private link between Site A and Site B (192.168.10.0/30) and this link should be used for traffic between the LANs as long as that link is available. If the private link goes down, a VPN tunnel should be established over the Internet between both sites and traffic should flow through that tunnel.
There are two things to think about in this scenario: routing and link tracking. On Site A, the route for Site B’s LAN should use the private link as the primary route and use the Internet link as the backup route. The same is true for Site B. There also needs to be a way for the sites to know when to failover to the backup link and this is taken care of by IP SLA tracking.
Let’s get right into the configuration. The basic configuration on the routers, excluding VPN configuration, is as follows:
hostname INTERNET ! interface Ethernet1/0 ip address 184.108.40.206 255.255.255.252 interface Ethernet1/1 ip address 220.127.116.11 255.255.255.252
hostname SITE_A ! interface Loopback0 description ***SITE_A LAN*** ip address 10.10.10.1 255.255.255.0 ! interface FastEthernet0/0 description ***PRIVATE LINK WITH SITE_B*** ip address 192.168.10.1 255.255.255.252 ! interface Ethernet1/0 description ***INTERNET LINK*** ip address 18.104.22.168 255.255.255.252 ! ip sla 1 icmp-echo 192.168.10.2 timeout 1000 frequency 10 ip sla schedule 1 life forever start-time now ! track 1 rtr 1 reachability ! ip route 0.0.0.0 0.0.0.0 22.214.171.124 ip route 10.10.20.0 255.255.255.0 192.168.10.2 track 1 ip route 10.10.20.0 255.255.255.0 Ethernet1/0 126.96.36.199 10
hostname SITE_B ! interface Loopback0 description ***SITE_B LAN*** ip address 10.10.20.1 255.255.255.0 ! interface FastEthernet0/0 description ***PRIVATE LINK WITH SITE_A*** ip address 192.168.10.2 255.255.255.252 ! interface Ethernet1/0 description ***INTERNET LINK*** ip address 188.8.131.52 255.255.255.252 ! ip sla 1 icmp-echo 192.168.10.1 timeout 1000 frequency 10 ip sla schedule 1 life forever start-time now ! track 1 rtr 1 reachability ! ip route 0.0.0.0 0.0.0.0 184.108.40.206 ip route 10.10.10.0 255.255.255.0 192.168.10.1 track 1 ip route 10.10.10.0 255.255.255.0 Ethernet1/0 220.127.116.11 10
The first configuration is on the router acting as the “INTERNET.”. The configuration on the site routers contains three routes:
A default route pointing to the INTERNET gateway for all internet traffic. This route will also help Site A get to the Internet IP address of Site B and vice versa.
A route for the other site’s LAN subnet using the private link. This route is tracked so that it is removed when the link is faulty.
A backup route for the other site’s LAN subnet using the Internet interface and Internet IP address of the other site router. Since this route has a higher administrative distance than the previous (tracked) route, it is only installed if the primary link goes down.
If the primary link is operational, we will see that link being used as the primary link to reach the other site’s LAN subnet.
We can now add our VPN configuration on the site routers. Remember that the VPN is only applied on the Internet link. There are other scenarios that may have two VPN tunnels – one primary and one backup – but that’s not the case in this article.
ip access-list extended LAN_A-LAN_B permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 ! crypto isakmp policy 10 hash md5 authentication pre-share ! crypto isakmp key cisco address 18.104.22.168 ! crypto ipsec transform-set TRANS_SET esp-3des esp-md5-hmac ! crypto map CRYP_MAP 10 ipsec-isakmp set peer 22.214.171.124 set transform-set TRANS_SET match address LAN_A-LAN_B ! interface Ethernet1/0 crypto map CRYP_MAP
ip access-list extended LAN_B-LAN_A permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255 ! crypto isakmp policy 10 hash md5 authentication pre-share ! crypto isakmp key cisco address 126.96.36.199 ! crypto ipsec transform-set TRANS_SET esp-3des esp-md5-hmac ! crypto map CRYP_MAP 10 ipsec-isakmp set peer 188.8.131.52 set transform-set TRANS_SET match address LAN_B-LAN_A ! interface Ethernet1/0 crypto map CRYP_MAP
Now let’s test. Since the private link is up, traffic between the LANs will flow via this link.
We can also see that there are no ISAKMP SAs.
Now, I will shut down the private link and try to connect again between the LANs.
The first set of ping traffic failed while the VPN tunnel was being set up and then the next set succeeded. Also notice that we now have an ISAKMP SA in the output above. We can also check that the traffic is indeed going through the VPN tunnel by looking at the IPsec SAs:
To complete our test, we will bring the private link back up. Traffic will stop flowing through the VPN tunnel and will start flowing again through the private link. Normal routing takes care of this.
We can confirm that traffic is not flowing through the VPN tunnel because the encrypt/decrypt counters have not incremented from when they were flowing through it.
In this article, we have seen how to use a VPN tunnel as a backup link in case the primary link fails. We used basic routing (static routes) and IP SLA tracking to achieve this.
In the next article, we will consider the same scenario but using a different type of VPN tunnel and also dynamic routing. I hope you have found this article helpful.
References and Further Reading
Configuring IP SLAs ICMP Echo Operations: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-mt/sla-15-mt-book/sla_icmp_echo.html