Sunday, November 9, 2014

IPsec High Availability

Today I would like to test one scenario of HA for VPN solution. I have one HQ and one branch. In HQ I have two VPN routers and there are two separate links between them.

blog-IPsec_HA_141109.png 


In this case I configure typical IPsec configuration with two peers on R5:

crypto map MAPA 10 ipsec-isakmp
 set peer 10.1.0.3
 set peer 10.3.0.4

I need to enable one feature - Dead Peer Detection - DPD (on ASA enabled by default) that allows to switch to second peer if first fail:

crypto isakmp keepalive 10 periodic

This protocol controls peer availability by sending messages (R_U_THERE). More info you find here: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/12-4/sec-ipsec-data-plane-12-4-book/sec-ipsec-dead-peer.html

The primary tunnel is r5 - r3 and secondary one r5 - r4. In my case both have exactly the same eigrp parameters, so I have to change default delay parameter to prefer r5-r3 path:

Original one:
 
R5#sh ip route 10.2.0.2
Routing entry for 10.2.0.0/24
  Known via "eigrp 10", distance 90, metric 30720, type internal
  Redistributing via eigrp 10
  Last update from 10.3.0.4 on FastEthernet1/0, 00:00:04 ago
  Routing Descriptor Blocks:
    10.3.0.4, from 10.3.0.4, 00:00:04 ago, via FastEthernet1/0
      Route metric is 30720, traffic share count is 1
      Total delay is 200 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1
  * 10.1.0.3, from 10.1.0.3, 00:00:04 ago, via FastEthernet0/1
      Route metric is 30720, traffic share count is 1
      Total delay is 200 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1
R5#

R5#sh ip eigrp topology
EIGRP-IPv4 Topology Table for AS(10)/ID(10.3.0.5)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 5.5.5.0/24, 1 successors, FD is 128256
        via Connected, Loopback0
        via Rconnected (128256/0)
P 10.1.0.0/24, 1 successors, FD is 28160
        via Connected, FastEthernet0/1
P 10.0.0.0/24, 1 successors, FD is 28160
        via Connected, FastEthernet0/0
P 10.2.0.0/24, 2 successors, FD is 30720
        via 10.1.0.3 (30720/28160), FastEthernet0/1
        via 10.3.0.4 (30720/28160), FastEthernet1/0
P 10.3.0.0/24, 1 successors, FD is 28160
        via Connected, FastEthernet1/0

R5#

Let’s change the parameter:
 
!
interface FastEthernet1/0
 ip address 10.3.0.5 255.255.255.0
 delay 120
 speed auto
 duplex auto
 crypto map MAPA
!

and check the routing:
 
R5#sh ip route 10.2.0.2
Routing entry for 10.2.0.0/24
  Known via "eigrp 10", distance 90, metric 30720, type internal
  Redistributing via eigrp 10
  Last update from 10.1.0.3 on FastEthernet0/1, 00:04:32 ago
  Routing Descriptor Blocks:
  * 10.1.0.3, from 10.1.0.3, 00:04:32 ago, via FastEthernet0/1
      Route metric is 30720, traffic share count is 1
      Total delay is 200 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1
R5#

R5#sh ip eigrp topology
EIGRP-IPv4 Topology Table for AS(10)/ID(10.3.0.5)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 5.5.5.0/24, 1 successors, FD is 128256
        via Connected, Loopback0
        via Rconnected (128256/0)
P 10.1.0.0/24, 1 successors, FD is 28160
        via Connected, FastEthernet0/1
P 10.0.0.0/24, 1 successors, FD is 28160
        via Connected, FastEthernet0/0
P 10.2.0.0/24, 1 successors, FD is 30720
        via 10.1.0.3 (30720/28160), FastEthernet0/1
        via 10.3.0.4 (58880/28160), FastEthernet1/0
P 10.3.0.0/24, 1 successors, FD is 56320
        via Connected, FastEthernet1/0
        via 10.1.0.3 (33280/30720), FastEthernet0/1

R5#

As you see next hop 10.1.0.3 (r3) is the only one added into the routing table.
To avoid asymmetric routing I enabled HSRP on inside interfaces of r3 and r4. The router r2 has a static route 10.2.0.100 (VIP).
 
R2#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 10.2.0.100 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.2.0.100
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.2.0.0/24 is directly connected, FastEthernet0/0
L        10.2.0.2/32 is directly connected, FastEthernet0/0
R2#

Standby configuration on r3 and r4:
 
R3#sh run int fa0/0
Building configuration...

Current configuration : 233 bytes
!
interface FastEthernet0/0
 ip address 10.2.0.3 255.255.255.0
 standby 1 ip 10.2.0.100
 standby 1 priority 105
 standby 1 preempt
 standby 1 name VPN
 standby 1 track 1 decrement 10
 standby 1 track 2 decrement 10
 duplex full
end

R3#

R3#sh run | i track
track 1 interface FastEthernet0/0 line-protocol
track 2 interface FastEthernet1/0 line-protocol
 standby 1 track 1 decrement 10
 standby 1 track 2 decrement 10
R3#

R4#sh run int fa0/0
Building configuration...

Current configuration : 221 bytes
!
interface FastEthernet0/0
 ip address 10.2.0.4 255.255.255.0
 standby 1 ip 10.2.0.100
 standby 1 preempt
 standby 1 name VPN
 standby 1 track 3 decrement 10
 standby 1 track 4 decrement 10
 speed auto
 duplex auto
end

R4#

R4#sh run | i trac
track 3 interface FastEthernet0/0 line-protocol
track 4 interface FastEthernet1/0 line-protocol
 standby 1 track 3 decrement 10
 standby 1 track 4 decrement 10
R4#

Let’s start testing the VPN resiliency:
 
R6#ping 10.2.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 52/88/112 ms

I have to confirm the path is the primary one:
 
R6#traceroute 10.2.0.2
Type escape sequence to abort.
Tracing the route to 10.2.0.2
VRF info: (vrf in name/id, vrf out name/id)
  1 10.0.0.5 24 msec 48 msec 36 msec
  2 10.1.0.3 72 msec 76 msec 76 msec    <--- r3
  3 10.2.0.2 96 msec 60 msec 88 msec
R6#

Let’s check phase1 and phase2 on r5:
 
R5#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.1.0.3        10.1.0.5        QM_IDLE           1021 ACTIVE

IPv6 Crypto ISAKMP SA

R5#sh crypto session
Crypto session current status

Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 10.1.0.3 port 500
  IKEv1 SA: local 10.1.0.5/500 remote 10.1.0.3/500 Active
  IPSEC FLOW: permit ip host 10.0.0.6 host 10.2.0.2
        Active SAs: 2, origin: crypto map

Interface: FastEthernet1/0
Session status: DOWN
Peer: 10.3.0.4 port 500
  IPSEC FLOW: permit ip host 10.0.0.6 host 10.2.0.2
        Active SAs: 0, origin: crypto map

R5#

Now I’m going to send many ping packets and then I shutdown one interface to test the HA:
During the first switchover I lost 6 packets:
 
R6#ping 10.2.0.2 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!......!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
Success rate is 97 percent (376/384), round-trip min/avg/max = 20/83/196 ms
R6#

 
 
R3(config)#int fa1/0
R3(config-if)#sh
R3(config-if)#
*Nov  9 03:36:46.762: %TRACKING-5-STATE: 2 interface Fa1/0 line-protocol Up->Down
*Nov  9 03:36:46.814: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.1.0.5 (FastEthernet1/0) is down: interface down
R3(config-if)#
*Nov  9 03:36:48.758: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down
*Nov  9 03:36:49.246: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Active -> Speak
R3(config-if)#
*Nov  9 03:36:49.758: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down
R3(config-if)#
 
 
R5#
*Nov  9 03:36:56.538: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.1.0.3 (FastEthernet0/1) is down: holding time expired
R5#
R5#
R5#sh crypto session d
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet0/1
Session status: DOWN-NEGOTIATING
Peer: 10.1.0.3 port 500 fvrf: (none) ivrf: (none)
      Desc: (none)
      Phase1_id: (none)
  IKEv1 SA: local 10.1.0.5/500 remote 10.1.0.3/500 Inactive
          Capabilities:D connid:1027 lifetime:0
  IPSEC FLOW: permit ip host 10.0.0.6 host 10.2.0.2
        Active SAs: 0, origin: crypto map
        Inbound:  #pkts dec'ed 148 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 162 drop 0 life (KB/Sec) 0/0

Interface: FastEthernet1/0
Uptime: 00:03:26
Session status: UP-ACTIVE
Peer: 10.3.0.4 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 10.3.0.4
      Desc: (none)
  IKEv1 SA: local 10.3.0.5/500 remote 10.3.0.4/500 Active
          Capabilities:D connid:1026 lifetime:23:56:32
  IPSEC FLOW: permit ip host 10.0.0.6 host 10.2.0.2
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 219 drop 0 life (KB/Sec) 4236316/3393
        Outbound: #pkts enc'ed 221 drop 0 life (KB/Sec) 4236316/3393

R5#

As we see the backup tunnel was brought up and after 6 lost packet the traffic was continued. In my next post I will test scenarios with ipsec profile and stateful option for both, crypto map and gre tunnels.

Below you can find config of VPN peers:
 
R5#sh run | s crypto
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key cisco123 address 0.0.0.0
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set TS esp-3des esp-sha-hmac
 mode tunnel
crypto map MAPA 10 ipsec-isakmp
 set peer 10.1.0.3
 set peer 10.3.0.4
 set transform-set TS
 match address 101
 crypto map MAPA
 crypto map MAPA
R5#

 
R3#sh run | s crypto
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key cisco123 address 0.0.0.0
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set TS esp-3des esp-sha-hmac
 mode tunnel
crypto map MAPA 10 ipsec-isakmp
 set peer 10.1.0.5
 set transform-set TS
 match address 101
 crypto map MAPA
R3#

 
R4#sh run | s crypt
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key cisco123 address 0.0.0.0
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set TS esp-3des esp-sha-hmac
 mode tunnel
crypto map MAPA 10 ipsec-isakmp
 set peer 10.3.0.5
 set transform-set TS
 match address 101
 crypto map MAPA
R4#

No comments:

Post a Comment