Skip to main content

IPsec High Availability

Today I would like to test one scenario of HA for VPN solution. I have one HQ and one branch. In HQ I have two VPN routers and there are two separate links between them.

blog-IPsec_HA_141109.png 


In this case I configure typical IPsec configuration with two peers on R5:

crypto map MAPA 10 ipsec-isakmp
 set peer 10.1.0.3
 set peer 10.3.0.4

I need to enable one feature - Dead Peer Detection - DPD (on ASA enabled by default) that allows to switch to second peer if first fail:

crypto isakmp keepalive 10 periodic

This protocol controls peer availability by sending messages (R_U_THERE). More info you find here: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/12-4/sec-ipsec-data-plane-12-4-book/sec-ipsec-dead-peer.html

The primary tunnel is r5 - r3 and secondary one r5 - r4. In my case both have exactly the same eigrp parameters, so I have to change default delay parameter to prefer r5-r3 path:

Original one:
 
R5#sh ip route 10.2.0.2
Routing entry for 10.2.0.0/24
  Known via "eigrp 10", distance 90, metric 30720, type internal
  Redistributing via eigrp 10
  Last update from 10.3.0.4 on FastEthernet1/0, 00:00:04 ago
  Routing Descriptor Blocks:
    10.3.0.4, from 10.3.0.4, 00:00:04 ago, via FastEthernet1/0
      Route metric is 30720, traffic share count is 1
      Total delay is 200 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1
  * 10.1.0.3, from 10.1.0.3, 00:00:04 ago, via FastEthernet0/1
      Route metric is 30720, traffic share count is 1
      Total delay is 200 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1
R5#

R5#sh ip eigrp topology
EIGRP-IPv4 Topology Table for AS(10)/ID(10.3.0.5)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 5.5.5.0/24, 1 successors, FD is 128256
        via Connected, Loopback0
        via Rconnected (128256/0)
P 10.1.0.0/24, 1 successors, FD is 28160
        via Connected, FastEthernet0/1
P 10.0.0.0/24, 1 successors, FD is 28160
        via Connected, FastEthernet0/0
P 10.2.0.0/24, 2 successors, FD is 30720
        via 10.1.0.3 (30720/28160), FastEthernet0/1
        via 10.3.0.4 (30720/28160), FastEthernet1/0
P 10.3.0.0/24, 1 successors, FD is 28160
        via Connected, FastEthernet1/0

R5#

Let’s change the parameter:
 
!
interface FastEthernet1/0
 ip address 10.3.0.5 255.255.255.0
 delay 120
 speed auto
 duplex auto
 crypto map MAPA
!

and check the routing:
 
R5#sh ip route 10.2.0.2
Routing entry for 10.2.0.0/24
  Known via "eigrp 10", distance 90, metric 30720, type internal
  Redistributing via eigrp 10
  Last update from 10.1.0.3 on FastEthernet0/1, 00:04:32 ago
  Routing Descriptor Blocks:
  * 10.1.0.3, from 10.1.0.3, 00:04:32 ago, via FastEthernet0/1
      Route metric is 30720, traffic share count is 1
      Total delay is 200 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1
R5#

R5#sh ip eigrp topology
EIGRP-IPv4 Topology Table for AS(10)/ID(10.3.0.5)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 5.5.5.0/24, 1 successors, FD is 128256
        via Connected, Loopback0
        via Rconnected (128256/0)
P 10.1.0.0/24, 1 successors, FD is 28160
        via Connected, FastEthernet0/1
P 10.0.0.0/24, 1 successors, FD is 28160
        via Connected, FastEthernet0/0
P 10.2.0.0/24, 1 successors, FD is 30720
        via 10.1.0.3 (30720/28160), FastEthernet0/1
        via 10.3.0.4 (58880/28160), FastEthernet1/0
P 10.3.0.0/24, 1 successors, FD is 56320
        via Connected, FastEthernet1/0
        via 10.1.0.3 (33280/30720), FastEthernet0/1

R5#

As you see next hop 10.1.0.3 (r3) is the only one added into the routing table.
To avoid asymmetric routing I enabled HSRP on inside interfaces of r3 and r4. The router r2 has a static route 10.2.0.100 (VIP).
 
R2#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 10.2.0.100 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.2.0.100
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.2.0.0/24 is directly connected, FastEthernet0/0
L        10.2.0.2/32 is directly connected, FastEthernet0/0
R2#

Standby configuration on r3 and r4:
 
R3#sh run int fa0/0
Building configuration...

Current configuration : 233 bytes
!
interface FastEthernet0/0
 ip address 10.2.0.3 255.255.255.0
 standby 1 ip 10.2.0.100
 standby 1 priority 105
 standby 1 preempt
 standby 1 name VPN
 standby 1 track 1 decrement 10
 standby 1 track 2 decrement 10
 duplex full
end

R3#

R3#sh run | i track
track 1 interface FastEthernet0/0 line-protocol
track 2 interface FastEthernet1/0 line-protocol
 standby 1 track 1 decrement 10
 standby 1 track 2 decrement 10
R3#

R4#sh run int fa0/0
Building configuration...

Current configuration : 221 bytes
!
interface FastEthernet0/0
 ip address 10.2.0.4 255.255.255.0
 standby 1 ip 10.2.0.100
 standby 1 preempt
 standby 1 name VPN
 standby 1 track 3 decrement 10
 standby 1 track 4 decrement 10
 speed auto
 duplex auto
end

R4#

R4#sh run | i trac
track 3 interface FastEthernet0/0 line-protocol
track 4 interface FastEthernet1/0 line-protocol
 standby 1 track 3 decrement 10
 standby 1 track 4 decrement 10
R4#

Let’s start testing the VPN resiliency: 
 
R6#ping 10.2.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 52/88/112 ms

I have to confirm the path is the primary one:
 
R6#traceroute 10.2.0.2
Type escape sequence to abort.
Tracing the route to 10.2.0.2
VRF info: (vrf in name/id, vrf out name/id)
  1 10.0.0.5 24 msec 48 msec 36 msec
  2 10.1.0.3 72 msec 76 msec 76 msec    <--- r3
  3 10.2.0.2 96 msec 60 msec 88 msec
R6#

Let’s check phase1 and phase2 on r5:
 
R5#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.1.0.3        10.1.0.5        QM_IDLE           1021 ACTIVE

IPv6 Crypto ISAKMP SA

R5#sh crypto session
Crypto session current status

Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 10.1.0.3 port 500
  IKEv1 SA: local 10.1.0.5/500 remote 10.1.0.3/500 Active
  IPSEC FLOW: permit ip host 10.0.0.6 host 10.2.0.2
        Active SAs: 2, origin: crypto map

Interface: FastEthernet1/0
Session status: DOWN
Peer: 10.3.0.4 port 500
  IPSEC FLOW: permit ip host 10.0.0.6 host 10.2.0.2
        Active SAs: 0, origin: crypto map

R5#

Now I’m going to send many ping packets and then I shutdown one interface to test the HA:
During the first switchover I lost 6 packets:
 
R6#ping 10.2.0.2 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!......!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
Success rate is 97 percent (376/384), round-trip min/avg/max = 20/83/196 ms
R6#

 
 
R3(config)#int fa1/0
R3(config-if)#sh
R3(config-if)#
*Nov  9 03:36:46.762: %TRACKING-5-STATE: 2 interface Fa1/0 line-protocol Up->Down
*Nov  9 03:36:46.814: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.1.0.5 (FastEthernet1/0) is down: interface down
R3(config-if)#
*Nov  9 03:36:48.758: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down
*Nov  9 03:36:49.246: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Active -> Speak
R3(config-if)#
*Nov  9 03:36:49.758: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down
R3(config-if)#
 
 
R5#
*Nov  9 03:36:56.538: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.1.0.3 (FastEthernet0/1) is down: holding time expired
R5#
R5#
R5#sh crypto session d
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet0/1
Session status: DOWN-NEGOTIATING
Peer: 10.1.0.3 port 500 fvrf: (none) ivrf: (none)
      Desc: (none)
      Phase1_id: (none)
  IKEv1 SA: local 10.1.0.5/500 remote 10.1.0.3/500 Inactive
          Capabilities:D connid:1027 lifetime:0
  IPSEC FLOW: permit ip host 10.0.0.6 host 10.2.0.2
        Active SAs: 0, origin: crypto map
        Inbound:  #pkts dec'ed 148 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 162 drop 0 life (KB/Sec) 0/0

Interface: FastEthernet1/0
Uptime: 00:03:26
Session status: UP-ACTIVE
Peer: 10.3.0.4 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 10.3.0.4
      Desc: (none)
  IKEv1 SA: local 10.3.0.5/500 remote 10.3.0.4/500 Active
          Capabilities:D connid:1026 lifetime:23:56:32
  IPSEC FLOW: permit ip host 10.0.0.6 host 10.2.0.2
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 219 drop 0 life (KB/Sec) 4236316/3393
        Outbound: #pkts enc'ed 221 drop 0 life (KB/Sec) 4236316/3393

R5#

As we see the backup tunnel was brought up and after 6 lost packet the traffic was continued. In my next post I will test scenarios with ipsec profile and stateful option for both, crypto map and gre tunnels.

Below you can find config of VPN peers:
 
R5#sh run | s crypto
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key cisco123 address 0.0.0.0
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set TS esp-3des esp-sha-hmac
 mode tunnel
crypto map MAPA 10 ipsec-isakmp
 set peer 10.1.0.3
 set peer 10.3.0.4
 set transform-set TS
 match address 101
 crypto map MAPA
 crypto map MAPA
R5#

 
R3#sh run | s crypto
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key cisco123 address 0.0.0.0
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set TS esp-3des esp-sha-hmac
 mode tunnel
crypto map MAPA 10 ipsec-isakmp
 set peer 10.1.0.5
 set transform-set TS
 match address 101
 crypto map MAPA
R3#

 
R4#sh run | s crypt
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key cisco123 address 0.0.0.0
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set TS esp-3des esp-sha-hmac
 mode tunnel
crypto map MAPA 10 ipsec-isakmp
 set peer 10.3.0.5
 set transform-set TS
 match address 101
 crypto map MAPA
R4#

Labels:

Comments

Post a Comment

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an
8 comments
Read more

MAC Authentication Bypass

One of the method to control your network is using MAB feature. It is helpful in case you have devices without dot1x functionality. Today I will try to implement basic configuration and analyze log messages. There is only one switch SW1 and one device attached to port Fa1/0/2.   ! aaa new - model aaa authentication dot1x default group radius ! ! int Fas1 / 0 / 2 authentication host - mode single - host authentication port - control auto mab ! I haven’t configured ACS yet but let’s see what error message I receive:   SW1 ( config - if ) # mab - ev ( Fa1 / 0 / 2 ): Received MAB context create from AuthMgr mab - ev ( Fa1 / 0 / 2 ): Created MAB client context 0x1100000F mab : initial state mab_initialize has enter mab - ev ( Fa1 / 0 / 2 ): Sending create new context event to EAP from MAB for 0x1100000F ( 0000.0000 . 0000 ) mab - sm ( Fa1 / 0 / 2 ): Received event 'MAB_START' on handle 0x1100000F mab : during state mab_initia
Post a Comment
Read more

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze the packet flo
1 comment
Read more