IPsec failover with BGP

Discussion in 'Cisco' started by Jim, Mar 4, 2004.

  1. Jim

    Jim Guest

    Hi,

    I'm hoping someone can help me out, I really don't know how to
    approach this problem.

    I'm running an IPsec VPN across the Internet using just one serial
    port at each location.

    The problem is that I have two T-1 connections to the Internet at
    each of my locations. One T-1 is a primary (S0), and the other is a
    backup or "shadow" (S1). The choice of path is made by my ISP
    (Worldcom) and their BGP.

    With two serial ports times two routers, each serial having a
    different IP address, how does one setup IPSec to always be active?
    Router A could be running S0 or S1, Router B could be running S0 or
    S1. So peers need to be available for A0-B0, A1-B0, A0-B1, and A1-B1.
    I've only gotten as far as a working AO-BO!

    I guess policy routing? I'm a bit lost even with that, I'm just a guy
    that enjoys being in over my head sometimes...

    Links, suggestions, anything helpful is GREATLY appreciated.

    Thanks,
    Jim
     
    Jim, Mar 4, 2004
    #1
    1. Advertising

  2. In article <>,
    Jim <> wrote:
    >Hi,
    >
    >I'm hoping someone can help me out, I really don't know how to
    >approach this problem.
    >
    > I'm running an IPsec VPN across the Internet using just one serial
    >port at each location.
    >
    > The problem is that I have two T-1 connections to the Internet at
    >each of my locations. One T-1 is a primary (S0), and the other is a
    >backup or "shadow" (S1). The choice of path is made by my ISP
    >(Worldcom) and their BGP.
    >
    > With two serial ports times two routers, each serial having a
    >different IP address, how does one setup IPSec to always be active?
    >Router A could be running S0 or S1, Router B could be running S0 or
    >S1. So peers need to be available for A0-B0, A1-B0, A0-B1, and A1-B1.
    >I've only gotten as far as a working AO-BO!
    >
    > I guess policy routing? I'm a bit lost even with that, I'm just a guy
    >that enjoys being in over my head sometimes...
    >
    >Links, suggestions, anything helpful is GREATLY appreciated.
    >
    >Thanks,
    >Jim


    You're making it more difficult than it needs to be. Why not let BGP
    do its thing and set up a single IPSec between loopback addresses or
    an inside interface on each router. That way, if a link goes down,
    BGP will automatically route around the problem and the IPSec does
    not have to deal with it?

    Alternatively, if you feel you must terminate the IPSec on the external
    IP address, consider just setting up A0-B0 and A1-B1. The other two
    combinations are inordinately difficult and provide no benefit in
    the most common scenario of a single failure. (They only help if you
    have a double failure which affects exactly A0 & B1 or A1 & B0 and
    nothing else.) Don't forget that with this approach you also need
    another layer of routing protocol to detect tunnel failure.

    Good luck and have fun!
    --
    Vincent C Jones, Consultant Expert advice and a helping hand
    Networking Unlimited, Inc. for those who want to manage and
    Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    http://www.networkingunlimited.com
     
    Vincent C Jones, Mar 4, 2004
    #2
    1. Advertising

  3. Jim

    Jim Guest

    Thanks Vincent,

    I tried setting the crypto map and set the peers for the ethernet
    interface in the beginning. When that didn't work I moved them to a
    loopback interface. Still no crypto. It wasn't until I moved them to
    the external interface that crypto came up.
    Not having a deep intimate understanding of packet flow in a cisco
    router, and being unable to find any config that utilized crypto on
    the internal interface, I assumed it couldn't be done. That's how I
    ended up with the dual serial interface problem. Of course, I've been
    unable to find a config running IPsec on dual serial interfaces as
    well.
    I'm not supposed to use the shadow circuit at either of my locations
    unless the primary is down, so the move to A1-B1 in the case of a
    single failure is technically improper. Not that Worldcom would care,
    and I'm sure I could get away with it, but it makes me wonder what the
    "perfect" solution would be.
    Guess I wonder too much, but I am having fun!

    Jim




    (Vincent C Jones) wrote in message news:<c26968$lfq$>...
    >
    > You're making it more difficult than it needs to be. Why not let BGP
    > do its thing and set up a single IPSec between loopback addresses or
    > an inside interface on each router. That way, if a link goes down,
    > BGP will automatically route around the problem and the IPSec does
    > not have to deal with it?
    >
    > Alternatively, if you feel you must terminate the IPSec on the external
    > IP address, consider just setting up A0-B0 and A1-B1. The other two
    > combinations are inordinately difficult and provide no benefit in
    > the most common scenario of a single failure. (They only help if you
    > have a double failure which affects exactly A0 & B1 or A1 & B0 and
    > nothing else.) Don't forget that with this approach you also need
    > another layer of routing protocol to detect tunnel failure.
    >
    > Good luck and have fun!
     
    Jim, Mar 4, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Slim

    BGP Failover configuration

    Slim, Dec 30, 2003, in forum: Cisco
    Replies:
    8
    Views:
    6,834
    Vincent C Jones
    Jan 3, 2004
  2. Rob
    Replies:
    4
    Views:
    4,809
    Vincent C Jones
    May 14, 2004
  3. Alec Waters
    Replies:
    0
    Views:
    1,560
    Alec Waters
    Jun 9, 2004
  4. noc

    BGP Failover question

    noc, Jul 17, 2004, in forum: Cisco
    Replies:
    2
    Views:
    1,489
  5. Pit
    Replies:
    0
    Views:
    1,187
Loading...

Share This Page