IPsec High Availability

Today I would like to test one scenario of HA for VPN solution. I have one HQ and one branch. In HQ I have two VPN routers and there are two separate links between them.

blog-IPsec_HA_141109.png

In this case I configure typical IPsec configuration with two peers on R5:

crypto map MAPA 10 ipsec-isakmp
 set peer 10.1.0.3
 set peer 10.3.0.4

I need to enable one feature - Dead Peer Detection - DPD (on ASA enabled by default) that allows to switch to second peer if first fail:

crypto isakmp keepalive 10 periodic

This protocol controls peer availability by sending messages (R_U_THERE). More info you find here:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/12-4/sec-ipsec-data-plane-12-4-book/sec-ipsec-dead-peer.html

The primary tunnel is r5 - r3 and secondary one r5 - r4. In my case both have exactly the same eigrp parameters, so I have to change default delay parameter to prefer r5-r3 path:

Original one:

R5#sh ip route 10.2.0.2
Routing entry for 10.2.0.0/24
  Known via "eigrp 10", distance 90, metric 30720, type internal
  Redistributing via eigrp 10
  Last update from 10.3.0.4 on FastEthernet1/0, 00:00:04 ago
  Routing Descriptor Blocks:
    10.3.0.4, from 10.3.0.4, 00:00:04 ago, via FastEthernet1/0
      Route metric is 30720, traffic share count is 1
      Total delay is 200 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1
  * 10.1.0.3, from 10.1.0.3, 00:00:04 ago, via FastEthernet0/1
      Route metric is 30720, traffic share count is 1
      Total delay is 200 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1
R5#

R5#sh ip eigrp topology
EIGRP-IPv4 Topology Table for AS(10)/ID(10.3.0.5)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 5.5.5.0/24, 1 successors, FD is 128256
        via Connected, Loopback0
        via Rconnected (128256/0)
P 10.1.0.0/24, 1 successors, FD is 28160
        via Connected, FastEthernet0/1
P 10.0.0.0/24, 1 successors, FD is 28160
        via Connected, FastEthernet0/0
P 10.2.0.0/24, 2 successors, FD is 30720
        via 10.1.0.3 (30720/28160), FastEthernet0/1
        via 10.3.0.4 (30720/28160), FastEthernet1/0
P 10.3.0.0/24, 1 successors, FD is 28160
        via Connected, FastEthernet1/0

R5#

Let’s change the parameter:

!
interface FastEthernet1/0
 ip address 10.3.0.5 255.255.255.0
 delay 120
 speed auto
 duplex auto
 crypto map MAPA
!

and check the routing:

R5#sh ip route 10.2.0.2
Routing entry for 10.2.0.0/24
  Known via "eigrp 10", distance 90, metric 30720, type internal
  Redistributing via eigrp 10
  Last update from 10.1.0.3 on FastEthernet0/1, 00:04:32 ago
  Routing Descriptor Blocks:
  * 10.1.0.3, from 10.1.0.3, 00:04:32 ago, via FastEthernet0/1
      Route metric is 30720, traffic share count is 1
      Total delay is 200 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1
R5#

R5#sh ip eigrp topology
EIGRP-IPv4 Topology Table for AS(10)/ID(10.3.0.5)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 5.5.5.0/24, 1 successors, FD is 128256
        via Connected, Loopback0
        via Rconnected (128256/0)
P 10.1.0.0/24, 1 successors, FD is 28160
        via Connected, FastEthernet0/1
P 10.0.0.0/24, 1 successors, FD is 28160
        via Connected, FastEthernet0/0
P 10.2.0.0/24, 1 successors, FD is 30720
        via 10.1.0.3 (30720/28160), FastEthernet0/1
        via 10.3.0.4 (58880/28160), FastEthernet1/0
P 10.3.0.0/24, 1 successors, FD is 56320
        via Connected, FastEthernet1/0
        via 10.1.0.3 (33280/30720), FastEthernet0/1

R5#

As you see next hop 10.1.0.3 (r3) is the only one added into the routing table.

To avoid asymmetric routing I enabled HSRP on inside interfaces of r3 and r4. The router r2 has a static route 10.2.0.100 (VIP).

R2#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 10.2.0.100 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.2.0.100
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.2.0.0/24 is directly connected, FastEthernet0/0
L        10.2.0.2/32 is directly connected, FastEthernet0/0
R2#

Standby configuration on r3 and r4:

R3#sh run int fa0/0
Building configuration...

Current configuration : 233 bytes
!
interface FastEthernet0/0
 ip address 10.2.0.3 255.255.255.0
 standby 1 ip 10.2.0.100
 standby 1 priority 105
 standby 1 preempt
 standby 1 name VPN
 standby 1 track 1 decrement 10
 standby 1 track 2 decrement 10
 duplex full
end

R3#

R3#sh run | i track
track 1 interface FastEthernet0/0 line-protocol
track 2 interface FastEthernet1/0 line-protocol
 standby 1 track 1 decrement 10
 standby 1 track 2 decrement 10
R3#

R4#sh run int fa0/0
Building configuration...

Current configuration : 221 bytes
!
interface FastEthernet0/0
 ip address 10.2.0.4 255.255.255.0
 standby 1 ip 10.2.0.100
 standby 1 preempt
 standby 1 name VPN
 standby 1 track 3 decrement 10
 standby 1 track 4 decrement 10
 speed auto
 duplex auto
end

R4#

R4#sh run | i trac
track 3 interface FastEthernet0/0 line-protocol
track 4 interface FastEthernet1/0 line-protocol
 standby 1 track 3 decrement 10
 standby 1 track 4 decrement 10
R4#

Let’s start testing the VPN resiliency: 

R6#ping 10.2.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 52/88/112 ms

I have to confirm the path is the primary one:

R6#traceroute 10.2.0.2
Type escape sequence to abort.
Tracing the route to 10.2.0.2
VRF info: (vrf in name/id, vrf out name/id)
  1 10.0.0.5 24 msec 48 msec 36 msec
  2 10.1.0.3 72 msec 76 msec 76 msec
  3 10.2.0.2 96 msec 60 msec 88 msec
R6#

Let’s check phase1 and phase2 on r5:

R5#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.1.0.3        10.1.0.5        QM_IDLE           1021 ACTIVE

IPv6 Crypto ISAKMP SA

R5#sh crypto session
Crypto session current status

Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 10.1.0.3 port 500
  IKEv1 SA: local 10.1.0.5/500 remote 10.1.0.3/500 Active
  IPSEC FLOW: permit ip host 10.0.0.6 host 10.2.0.2
        Active SAs: 2, origin: crypto map

Interface: FastEthernet1/0
Session status: DOWN
Peer: 10.3.0.4 port 500
  IPSEC FLOW: permit ip host 10.0.0.6 host 10.2.0.2
        Active SAs: 0, origin: crypto map

R5#

Now I’m going to send many ping packets and then I shutdown one interface to test the HA:

During the first switchover I lost 6 packets:

R6#ping 10.2.0.2 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!......!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
Success rate is 97 percent (376/384), round-trip min/avg/max = 20/83/196 ms
R6#

R3(config)#int fa1/0
R3(config-if)#sh
R3(config-if)#
*Nov  9 03:36:46.762: %TRACKING-5-STATE: 2 interface Fa1/0 line-protocol Up->Down
*Nov  9 03:36:46.814: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.1.0.5 (FastEthernet1/0) is down: interface down
R3(config-if)#
*Nov  9 03:36:48.758: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down
*Nov  9 03:36:49.246: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Active -> Speak
R3(config-if)#
*Nov  9 03:36:49.758: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down
R3(config-if)#

R5#
*Nov  9 03:36:56.538: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.1.0.3 (FastEthernet0/1) is down: holding time expired
R5#
R5#
R5#sh crypto session d
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet0/1
Session status: DOWN-NEGOTIATING
Peer: 10.1.0.3 port 500 fvrf: (none) ivrf: (none)
      Desc: (none)
      Phase1_id: (none)
  IKEv1 SA: local 10.1.0.5/500 remote 10.1.0.3/500 Inactive
          Capabilities:D connid:1027 lifetime:0
  IPSEC FLOW: permit ip host 10.0.0.6 host 10.2.0.2
        Active SAs: 0, origin: crypto map
        Inbound:  #pkts dec'ed 148 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 162 drop 0 life (KB/Sec) 0/0

Interface: FastEthernet1/0
Uptime: 00:03:26
Session status: UP-ACTIVE
Peer: 10.3.0.4 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 10.3.0.4
      Desc: (none)
  IKEv1 SA: local 10.3.0.5/500 remote 10.3.0.4/500 Active
          Capabilities:D connid:1026 lifetime:23:56:32
  IPSEC FLOW: permit ip host 10.0.0.6 host 10.2.0.2
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 219 drop 0 life (KB/Sec) 4236316/3393
        Outbound: #pkts enc'ed 221 drop 0 life (KB/Sec) 4236316/3393

R5#

As we see the backup tunnel was brought up and after 6 lost packet the traffic was continued. In my next post I will test scenarios with ipsec profile and stateful option for both, crypto map and gre tunnels.

Below you can find config of VPN peers:

R5#sh run | s crypto
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key cisco123 address 0.0.0.0
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set TS esp-3des esp-sha-hmac
 mode tunnel
crypto map MAPA 10 ipsec-isakmp
 set peer 10.1.0.3
 set peer 10.3.0.4
 set transform-set TS
 match address 101
 crypto map MAPA
 crypto map MAPA
R5#

R3#sh run | s crypto
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key cisco123 address 0.0.0.0
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set TS esp-3des esp-sha-hmac
 mode tunnel
crypto map MAPA 10 ipsec-isakmp
 set peer 10.1.0.5
 set transform-set TS
 match address 101
 crypto map MAPA
R3#

R4#sh run | s crypt
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key cisco123 address 0.0.0.0
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set TS esp-3des esp-sha-hmac
 mode tunnel
crypto map MAPA 10 ipsec-isakmp
 set peer 10.3.0.5
 set transform-set TS
 match address 101
 crypto map MAPA
R4#
 
2
Kudos
 
2
Kudos

Now read this

L2 security – Dynamic ARP Inspection.

When we enable DHCP Snooping (in my previous post) we should also consider Dynamic ARP Inspection. This feature protects against ARP poisoning. Let’s test this feature on below example: DHCP SERVER /----\ | R1 | \----/ | / fa1/0/9... Continue →