Friday, November 21, 2014

VPN - GRE over IPsec SSO

As I promised in my last post I will add the stateful switchover to the following scenario:

blog-gre-over-ipsec3.jpg
The first step is to remove tunnel1 from r5 and r4 and then add tunnel0 on r4. Next implementation of HSRP and changing ‘tunnel source’ on r3 and r4:

R4:
 
!
ipc zone default
association 1
  no shutdown
  protocol sctp
   local-port 5000
    local-ip 10.1.0.4
   remote-port 5000
    remote-ip 10.1.0.3
!
redundancy inter-device
scheme standby VPN
!
!
interface FastEthernet0/1
ip address 10.1.0.4 255.255.255.0
standby 0 ip 10.1.0.100
standby 0 preempt
standby 0 name VPN
standby 0 track 1 decrement 10
standby 0 track 2 decrement 10
standby 0 track 3 decrement 10
!
!
interface Tunnel0
ip address 7.7.7.4 255.255.255.0
tunnel source 10.1.0.100
tunnel destination 10.1.0.5
tunnel protection ipsec profile IPSEC-PRF
!

R3:
 
!
ipc zone default
association 1
  no shutdown
  protocol sctp
   local-port 5000
    local-ip 10.1.0.3
   remote-port 5000
    remote-ip 10.1.0.4
!
redundancy inter-device
scheme standby VPN
!
!
interface FastEthernet1/0
ip address 10.1.0.3 255.255.255.0
standby 0 ip 10.1.0.100
standby 0 preempt
standby 0 name VPN
standby 0 track 1 decrement 10
standby 0 track 2 decrement 10
standby 0 track 3 decrement 10
!
!
interface Tunnel0
ip address 7.7.7.3 255.255.255.0
tunnel source 10.1.0.100
tunnel destination 10.1.0.5
tunnel protection ipsec profile IPSEC-PRF
!

Let’s check the redundancy status:
 
r3#sh redundancy inter-device
Redundancy inter-device state: RF_INTERDEV_STATE_HSRP_STDBY_PNC
  Scheme: Standby
      Groupname: VPN Group State: Standby
  Peer present: UNKNOWN
  Security: Not configured
r3#
 
r4#sh redundancy inter-device
Redundancy inter-device state: RF_INTERDEV_STATE_ACT
  Scheme: Standby
      Groupname: VPN Group State: Active
  Peer present: RF_INTERDEV_PEER_NO_COMM
  Security: Not configured
r4#

and the last step to make the VPN aware of the stateful feature (on both peers r3 and r4):
 
!
crypto ipsec profile IPSEC-PRF
set transform-set TS
redundancy VPN stateful
!

Now on r5 we need to change tunnel destination to VIP IP 10.1.0.100:
 
r5#sh run int tun0
Building configuration...

Current configuration : 164 bytes
!
interface Tunnel0
ip address 7.7.7.5 255.255.255.0
tunnel source FastEthernet0/1
tunnel destination 10.1.0.100
tunnel protection ipsec profile IPSEC-PRF
end

Let’s test the switchover.

When I sent the traffic from r6 to r12 I see the log message on the standby peer:
 
r3#
*Nov 21 02:57:32.823: IKE HA: (10.1.0.100) Adding STANDBY IKE SA

*Nov 21 02:57:32.831: IKE HA: Create peer struct for local 104.26.189.68 remote 104.26.189.40 & locked
*Nov 21 02:57:32.839: IKE HA: IKE SA inserted on standby with src = 10.1.0.100, dst   = 10.1.0.5

r3#

Let’s check if we see any SA:
 
r3#sh crypto isakmp sa d
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Ca                           p.

1011  10.1.0.100      10.1.0.5               STDBY  3des sha    psk  5  23:59:37                              
       Engine-id:Conn-id =  SW:11

IPv6 Crypto ISAKMP SA

r3#

Ok, we see ‘STDBY’ status what means it is waiting and ready for the switchover.

No comments:

Post a Comment