23 Jan 2010

IPsec VPN Lab, with stateful failover (SSO, Dual Interface Model)



Lots of stuff going on here.
We have two sites for our company named Central-Office and Branch-33.

The CO is connected to our ISP w/ two edge routers, CE_1 w/ an E3 line and CE_2 w/ a backup E1 line. Our branch33 site is using R4, which will establish the IPSec tunnels, allowing the private networks 10.1.33.0/21 talk to the central office 10.1.8.0/21 networks.

Behing them are the two IPSec Concentrators (R1 and R2, 7200 Cisco routers) which have public IP addresses on their out facing interfaces. Here all 4 routers connected to a switch, but of course in a production network you would have redundant switches there also.

Two first hop redundancy plans are integrated as an HSRP group facing to our internal network and the HSRP group facing to our edge routers, which also provides the IPsec redundandcy.

Crypto maps are setup as SSO stateful failover, R1 acting as the primary IPsec point, with R2 being the standby.

There is an extra flavor as IP SLA and reachability tracking is done where R1 and R2 are checking their next-hop routers to the outside world, CE_1 & CE_2. No routing protocol is run inside our company, for claritys sake. Thus we have two static default routes w/ different AD and the mentioned icmp tracking.

One Note, considering the Stateful Failover: "Each time an active device relinquishes control to become the standby device, the active device will reload. This functionality ensures that the state of the new standby device synchronizes correctly with the new active device." (Ref) So since Dynamips doesnt support reloading, the Router dynamips process will crash and you must shut down and turn on the router again to get it going.

Download Project files for GNS3

Links:
Cisco High Availability Solution: Stateful Failover for IPsec
Fun with IPsec stateful failover @ packetlife

No comments:

Post a Comment