Stateless IPsec VPN High-Availability Alternatives


Stateless IPsec VPN HA refers to a scenario in which the state of a given Phase 1 or Phase 2 SA is not replicated to another separate, redundant IPsec device. In this section, we will discuss solutions for providing a highly available VPN design using stateless mechanisms, specifically HSRP/VRRP (Hot Standby Router Protocol/Virtual RRP) for termination of the IPsec VPN tunnel and Reverse-Route Injection for keeping routing protocol information consistent between the two private routing domains that use the IPsec VPN tunnel for confidential communications between them.

Solution Overview for Stateless IPsec High Availability

The stateless local IPsec HA design in this chapter uses the simple network topology depicted in Figure 6-3 to illustrate the required underlying concepts.

Figure 6-3. Stateless Local IPsec High Availability Topology


In any stateless IPsec HA design, there are two key objectives that must be achieved.

Objective 1: Highly Available Termination The termination of the IPsec VPN tunnel must be highly available to the peering IPsec VPN gateway. This peering alternative must be adequate in reducing latency in IPsec VPN reconvergence attributable to RP reconvergence. The termination point should also eliminate any one physical device (this could be an interface or the gateway itself) as a single point of failure in the design. The primary solution is to use a virtual interface to terminate the IPsec tunnel. HSRP or VRRP can be deployed to provide a virtual interface common to one or more physical devices. Using an HSRP or VRRP virtual interface as the endpoint of an IPsec VPN tunnel preserves routing protocol information in the protected routed domain, eliminating latency attributable to the reconvergence of the routing protocol on the protected side of the VPN. This solution provides a design alternative when a single physical point of failure in the VPN network topology is unacceptable.

Note

While terminating an IPsec VPN tunnel on virtual interface precludes RP reconvergence from stalling IPsec VPN reconvergence, the HSRP or VRRP failover timers can stall IPsec VPN failover in such a scenario. We will discuss latency associated with these timers and how to minimize this latency later in this chapter.


Objective 2: Layer-3 Continuity across the IPsec VPN Tunnel As we have discussed in previous chapters, most RP updates are multicast-based. For this reason, they cannot be tunneled through an IPsec VPN without encapsulating them in GRE prior to their inclusion in the crypto switching path. Therefore, without GRE, the alternative is Reverse-Route Injection. When an IPsec VPN gateway is configured for RRI, it injects routing information backwards into the protected routed domain upon successfully negotiating an IPsec SA. In this scenario, C7206VXR-MAIN (or potentially C7206VXR-STANDBY) injects a static route for VPN-2651XM's protected IP address space backward into the enterprise network routing domain, as illustrated in Figure 6-3.

Hot Standby Routing Protocol

Hot Standby Routing Protocol (HSRP) provides a virtual interface that can be shared between two redundant routers. There are two main components of the HSRP protocol:

  • The creation of a virtual interface inclusive of a virtual MAC address residing on the same broadcast domain as the two physical redundant interfaces (at least one physical interface on each router in the HSRP group).

  • The communication of interface state and priority between each router with a physical interface in the HSRP group. This exchange is facilitated with the use of HSRP Hello messages sent to the all routers multicast destination address (224.0.0.2).

These two components work together to create a virtual interface that represents two or more physical interfaces on the same broadcast domain, addressed on the same subnet. In this section, we will describe a method of IPsec HA that uses this virtual interface to provide a stateless method of redundancy.

Note

This chapter discusses HSRP and VRRP in the context of IPsec HA only. For more detail on the operation of the Hot Standby Router Protocol (HSRP), refer to the following URL on CCO:

http://www.cisco.com/en/US/partner/tech/tk648/tk362/tk321/tsd_technology_support_subprotocol_home.html

Also note that we will only discuss HSRP IPsec HA alternatives, because many of the features required for stateless and stateful IPsec HA are Cisco proprietary features that work only on HSRP. For standards-track virtual interface capability, refer to the IETF's Virtual Router-Router Protocol charter:

http://www.ietf.org/html.charters/vrrp-charter.html


IPsec VPN tunnel termination on an HSRP interface eliminates a single point of failure in the IPsec VPN design. Consider the layout illustrated in Figure 6-3. In a nonredundant site-to-site VPN, 2651XM-VPNA would establish Phase 1 and Phase 2 SAs with only one endpoint. In this scenario, redundancy has been built into the design on cleartext routed domain A. Because of this, any device terminating an IPsec VPN tunnel at cleartext routed domain "a," such as 2651XMVPNA, would have the benefit of an HSRP-based redundant termination point.

Once the IPsec tunnel itself can be built between the HSRP virtual interface on cleartext routed domain A and the physical interface on 2651XM-VPNA, the two cleartext routing domains must be informed of how to route to one another. In the sense of a stateless IPsec HA deployment, this need is currently met by deploying RII.

Tip

Recall that without the use of IPsec+GRE, multicast traffic, inherent to the operation of many routing protocols, cannot be passed across the VPN. When a fully dynamic exchange of RP information is required, consider tunneling the routing protocol traffic through the VPN using GRE. This deployment is discussed in greater detail in Chapter 3, "Basic IPsec VPN Topologies and Configurations."


RRI

RRI can be deployed to maintain consistency between routed domains over an IPsec VPN tunnel when RP updates and hellos cannot be exchanged across the IPsec VPN tunnel. RRI does this by automatically injecting routes backward into the cleartext routing domain upon negotiation of a Phase 2 IPsec SA.

Consider again the topology described in Figure 6-3. When 2651XM-VPNA completes Phase 2 SA negotiation with the redundant HSRP pair of 7200VXRs on cleartext routed domain "D," the active HSRP router of the pair (in this case C7206VXR-MAIN) injects RRI-learned static routes to cleartext routed domain "A" into C7206VXR-MAIN's routing table. RRI accomplishes this by inspecting the IP address space to be included in the crypto switching path, as defined by the crypto ACLs configured on each peer. Remember that in order for an IPsec Phase 2 SA to be negotiated correctly, the protected address space defined in the ACLs on each peer must match. C7206VXR-MAIN is configured to redistribute these RRI-learned static routes into the IGP of cleartext routed domain "A."

Note

For more information on protected address space definition and the impact of crypto ACL mismatches on Phase 2 SA negotiation, refer to Chapter 3, "Basic IPsec VPN Topologies and Configurations."


After a Phase 2 SA is negotiated, RRI inspects the crypto-protected address space that the two VPN endpoints have agreed on and entered in the SADB. The VPN endpoints create static routes for the corresponding address space agreed upon in Phase 2 negotiation and entered in the SADB.

Tip

VPN routes created by RRI appear as static routes, but they can be injected into a dynamic routing protocol using the redistribute static command under the Routing Protocol subconfiguration menu.


Stateless High Availability Failover Process

Stateless local site-to-site HA leverages HSRP and RRI in tandem to provide redundancy in IPsec VPN designs. In this section, we will consider a scenario in which a smaller cleartext routed domain (A, B, or C) is establishing an IPsec VPN tunnel to a larger cleartext routed domain (D) at which there are shared, business-critical resources. The communications between the two cleartext routed domains must be confidential and are therefore passed in ciphertext across a ciphertext routed domain. Figure 6-4 illustrates this topology.

Figure 6-4. Step-by-Step Stateless Local IPsec HA Failover.


The following sections describe the steps illustrated in Figure 6-4:

  • Step 1: Initial IPsec VPN Tunnel Establishment

  • Step 2: Pre-HSRP RRI Execution

  • Step 3: Active Router Failure

  • Step 4: HSRP Reconvergence

  • Step 5: IPsec Reconvergence

  • Step 6: Post-HSRP RRI Execution

Step 1: Initial IPsec VPN Tunnel Establishment

In this case, the VPN gateways at cleartext domain A, B, and C establish site-to-site IPsec VPN tunnels with cleartext domain D. Because there are critical resources that are shared among all domains (A, B, C, and D), the network architects of the firm decide to deploy stateless HA at cleartext routed domain D. The configuration of the gateways on domains A, B, and C are config-ured normally for site-to-site connectivity, with one exceptionthe remote peer is defined as the HSRP virtual IP address of the redundant pair of IPsec VPN gateways at cleartext routed domain D.

The key thing to remember in this step is that the single point of failure at cleartext routed domain D is eliminated by this solution. This provides IPsec HA at the terminating peer for confidential communications used by domains A, B, and C. Again, the only configuration change required on the VPN gateways in domains A, B, and C is to define the HSRP standby IP address of domain D as the remote IPsec peer and, if using preshared keys for Phase 1 negotiation, ensure that the appropriate ISAKMP preshared key is used with that IP address.

Example 6-4 provides the configuration of an IPsec branch router, 2651XM-VPNA, in the network topology illustrated in Figure 6-4. The branch router is configured to share its ISAKMP key with 200.1.2.1, the HSRP virtual interface of C7206VXR-MAIN and STANDBY so that either router can complete Phase 1 negotiations with 2651XM-VPNA. 2651XM-VPNA is also configured to use the HSRP virtual interface of C7206VXR-MAIN and STANDBY to terminate the IPsec tunnel. This allows 2651XM-VPNA to terminate the IPsec VPN tunnel on either C7206VXR-MAIN or STANDBY, thereby taking full advantage of the stateless IPsec HA configuration in cleartext routed domain D. RRI is used to dynamically inject an IP route for cleartext routed domain D into cleartext routed domain A. RRI accomplishes this by dynamically creating static routes to 10.0.0.0/8 on 2651XM-VPNA upon successful negotiation of an IPsec SA. The RRI-learned routes are manually redistributed into the RP on 2651XM-VPNA and are subsequently propagated throughout cleartext routed domain A. This provides network elements in cleartext routed domain A the ability to route IP packets to target destinations on cleartext routed domain D.

Example 6-4. Branch Configuration for Stateless IPsec HA

hostname 2651XM-VPNA ! ! crypto isakmp key cisco address 200.1.2.1 ! ! crypto map chap6-stateless 10 IPsec-isakmp  set peer 200.1.2.1  set transform-set chap6-stateless  match address 101  reverse-route


To support the stateless HA configuration at domain D, HSRP must be configured on interfaces facing the remote branches A, B, and C in order to provide a virtual IP address that the VPN gateways on A, B, and C can terminate their IPsec VPN tunnels on. Example 6-5 shows the configuration additions required of C7206VXR-MAIN and C7206VXR-STANDBY needed to support HSRP-based termination of the IPsec VPN tunnels inbound from 2651XM-VPNA, 2651XM-VPNB, and 2651XM-VPNC.

Example 6-5. Aggregator (C7206VXR-MAIN and C7206VXR-STANDBY) Configuration on Cleartext Domain D for Stateless IPsec HA

hostname C7206VXR-MAIN ! ! crypto isakmp keepalive 10 ! ! crypto map chap6-stateless 10 ipsec-isakmp  set peer 200.1.1.1  set transform-set chap6-stateless  match address 101  reverse-route ! crypto map chap6-stateless 20 ipsec-isakmp  set peer 200.1.1.5  set transform-set chap6-stateless  match address 102  reverse-route ! crypto map chap6-stateless 30 ipsec-isakmp  set peer 200.1.1.9  set transform-set chap6-stateless  match address 103  reverse-route ! interface FastEthernet0/0 ip address 200.1.2.11 255.255.255.0 ip directed-broadcast  speed auto  half-duplex  standby 1 ip 200.1.2.1  standby 1 preempt  standby 1 name chap6-vpnha  standby 1 track FastEthernet0/1 75 ! access-list 101 permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0 access-list 102 permit ip 10.0.0.0 255.0.0.0 192.168.2.0 255.255.255.0 access-list 103 permit ip 10.0.0.0 255.0.0.0 192.168.3.0 255.255.255.0  crypto map chap6-stateless redundancy chap6-vpnha hostname C7206VXR-STANDBY ! ! crypto isakmp keepalive 10 ! ! crypto map chap6-stateless 10 ipsec-isakmp  set peer 200.1.1.1  set transform-set chap6-stateless  match address 101  reverse-route ! crypto map chap6-stateless 20 ipsec-isakmp  set peer 200.1.1.5  set transform-set chap6-stateless  match address 102  reverse-route ! crypto map chap6-stateless 30 ipsec-isakmp  set peer 200.1.1.9  set transform-set chap6-stateless  match address 103  reverse-route ! ! interface FastEthernet0/0  ip address 200.1.2.12 255.255.255.0  ip directed-broadcast  speed auto  half-duplex  standby 1 ip 200.1.2.1  standby 1 preempt  standby 1 name chap6-vpnha  crypto map chap6-stateless redundancy chap6-vpnha ! access-list 101 permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0 access-list 102 permit ip 10.0.0.0 255.0.0.0 192.168.2.0 255.255.255.0 access-list 103 permit ip 10.0.0.0 255.0.0.0 192.168.3.0 255.255.255.0


Example 6-5 provides the configuration of the redundant headend routers performing IPsec VPN tunnel aggregation for the branches. IKE keepalives are the primary means by which to notify the crypto engine that the IPsec SAs previously established are no longer valid and must be torn down. After three keepalives are missed, the crypto engine will tear down Phase 1 and Phase2 SAs with its peers, allowing the remote peers to rebuild those SAs with the redundant gateway, C7206VXR-STANDBY. Line 4 of the configuration enables the use of IKE keepalives on C7206VXR-MAIN. IKE keepalives are also configured on C7206VXR-STANDBY, as shown in line 42 of the configuration, so as to allow C7206VXR-MAIN to preemptively assume active HSRP router responsibilities when a failure has been restored. C7206VXR-MAIN uses HSRP to present a highly available virtual interface for branch routers to terminate their IPsec VPN tunnels on. The HSRP standby interface is also the IP address that the IPsec VPN tunnel will be sourced from on C7206VXR-MAIN or C7206VXR-STANDBY, depending on which of the two is the active HSRP router. The IPsec and ISAKMP preshared key peering statements on 2651XMVPNA, 2651XM-VPNB, and 2651XM-VPNC must be configured to use this interface to take advantage of the stateless IPsec HA configuration between redundant peers C7206VXR-MAIN and STANDBY. Tracking other interfaces on the router allows HSRP to fail over based on downstream information. In this scenario, C7206VXR-MAIN tracks Fa0/1. If the tracked interface fails, HSRP decrements its priority by 50. C7206VXR-STANDBY then recognizes the priority change, further realizing that its priority is higher (75 > 50) and forcing C7206VXR-STANDBY to preemptively assume the role of the active HSRP router and the active IPsec VPN gateway in cleartext routed domain D. The standby name is referenced in the crypto map, chap6-stateless, for IPsec HA. This instructs the crypto engine to bind crypto information to the HSRP information for stateless IPsec HA. For example, the IPsec processes on C7206VXR-MAIN and STANDBY need to know to use the standby address (200.1.2.1) for tunnel termination and origination rather than the physical IP address of 200.1.2.11 and 12, respectively. Without referencing the HSRP standby name in the crypto map, the default behavior of peering directly from the physical interface IP would occur, effectively negating the benefits of HSRP-based stateless IPsec HA. The crypto map, "chap6-stateless", is applied to the physical interface configured for redundancy with HSRP. Note that this interface is configured to automatically inject routing information backwards in to cleartext routed domain D using RRI.

Example 6-5 also includes the configuration for the redundant router providing stateless IPsec HA, C7206VXR-STANDBY. C7206VXR-STANDBY's crypto map is identical to that of C7206VXR-MAIN. Note that it too uses RRI to update routing protocol information for cleartext routed domain D. This will happen only when HSRP and IPsec both fail over to C7206VXR-STANDBY. The physical interface configured for redundancy using HSRP is located on the same subnet as C7206VXR-MAIN. Many of the HSRP and IPsec parameters configured are identical between C7206VXR-MAIN and STANDBY, such as the crypto transform sets used, ISAKMP parameters, and HSRP standby interface IP addresses. Others are different, such as interface tracking configurationC7206VXR-STANDBY does not track interfaces, while C7206VXR-MAIN does. C7206VXR-STANDBY will, however, use HSRP preempt to assume the role of active HSRP router when it senses that the priority of C7206VXR-MAIN has decreased due to the failure of one of its tracked interfaces.

Step 2: Pre-HSRP RRI Execution

When the redundant pair of 7206VXRs is capable of building an IPsec VPN tunnel with the remote 2651XMs in Figure 6-4, there needs to be a means by which to ensure that Layer 3 devices in domains A, B, and C can route to domain D, and vice versa. Because this is a pure IPsec solution (and GRE is not in use), VPN gateways in domains A, B, C, and D are configured for RRI, which occurs in this step. RRI determines what routes to inject backwards into the appropriate routing domain by inspecting the protected address space negotiated in Phase 2 and entered in the IPsec SADB.

Example 6-6 shows the output of C7206VXR-MAIN, which is the active HSRP router terminating an IPsec connection for 2651XM-VPNA. Before taking any steps to verify the crypto operation, HSRP operation is confirmed to be operating correctly, as shown in lines 116 of Example 6-6. As C7206VXR-MAIN is the active HSRP router (confirmed in lines 3 and 4 of Example 6-6), it will also actively assume responsibilities for terminating Phase 1 and Phase 2 SAs with its remote peers. The output from C7206VXR-MAIN SADB shows the current ISAKMP and IPsec SAs associated with 2651XM-VPNA. The standby IP address that remote peers will use for IPsec tunnel termination is shown in line 5. According to the output listed in line 10, C7206VXR-MAIN will attempt to preempt other interfaces in the HSRP group to become the active router whenever a priority change is detected within the group. Therefore, C7206VXR-MAIN will take advantage of preemption to resume active router responsibilities once a failure has been repaired on C7206VXR-MAIN Fa0/0 or Fa0/1. C7206VXR-MAIN will track Fa0/1 and Lo10, and will decrement the default priority of 100 by 75 (yielding a priority of 25). When C7206VXR-STANDBY detects this (it is configured to preempt), it will take over as the active router for the HSRP group, as its priority of 50 is greater than C7206VXR-MAIN's new priority of 25. Also, C7206VXR-STANDBY will also take over as the IPsec tunnel termination point for 2651XMVPNA, 2651XM-VPNB, and 2651XM-VPNC once the appropriate amount of IKE keepalives are missed and new Phase 1 and Phase 2 SAs are negotiated. Note that the source IP address listed for the IPsec SAs in lines 21 and 22 is identical to the HSRP standby IP address listed in line 5. Lines 1922 therefore confirm that C7206VXR-MAIN is actively terminating IPsec VPN tunnels on the standby IP interface for the appropriate HSRP group.

Example 6-6. C7206VXR-MAIN IPsec SADB before HSRP Failover

C7206VXR-MAIN#show standby FastEthernet0/0 - Group 1  State is Active    14 state changes, last state change 2d13h  Virtual IP address is 200.1.2.1  Active virtual MAC address is 0000.0c07.ac01    Local virtual MAC address is 0000.0c07.ac01 (V1 default)  Hello time 3 sec, hold time 10 sec    Next hello sent in 0.276 secs  Preemption enabled  Active router is local  Standby router is 200.1.2.12, priority 50 (expires in 7.840 sec)  Priority 100 (default 100)   Track interface FastEthernet0/1 state Up decrement 75   Track interface Loopback10 state Up decrement 75  IP redundancy name is "chap6-vpnha" (cfgd) C7206VXR-MAIN#show crypto engine connections active  ID Interface            IP-Address      State  Algorithm          Encrypt   Decrypt  8 FastEthernet0/0       200.1.2.11      set    HMAC_SHA+3DES_56_C       0         0  2001 FastEthernet0/0    200.1.2.1       set    3DES+SHA                 4         0  2002 FastEthernet0/0    200.1.2.1       set    3DES+SHA                 0         4 C7206VXR-MAIN#


Note here that there will be reconvergence delay attributable to reconvergence of the routing tables on either side of the IPsec tunnel. The convergence delay of the IPsec design attributable to RP reconvergence can vary greatly based on a large number of variables, such as the routing protocol used, the size of the routing table, the configuration of RP timers, and the platforms selected to perform the routing functionality, among others. Because of this, within the context of this work, we will consider the total system failover time to include RRI but not system-wide RP reconvergence. In your network design, be advised that the reconvergence of routed domains should be analyzed regardless of whether a stateful or stateless IPsec HA design is selected.

Note also that in the SADB, C7206VXR-MAIN is instructed to encrypt traffic to 192.168.1.0/24, the address range used cleartext domain A. Because C7206VXR-MAIN does not receive RP updates, which are multicast, across the VPN tunnel, C7206VXR is configured to inject routes in to cleartext domain D using RRI.

In Example 6-7, 2651XM-VPNA inserts a VPN route using static RRI as soon as a complete static crypto map is applied to an interface, which, as we will see in Example 6-9, is slightly different from the behavior on C7206VXR-MAIN. Unlike dynamic crypto maps, static crypto maps must have manually defined peering information and completed crypto ACLs to successfully negotiate Phase 2 with a peer. RRI immediately inserts a VPN (static) route for the destination address space in the crypto ACL with a next hop of the peer IP of the IPsec VPN tunnel defined in the crypto map. This is confirmed by the insertion of the VPN (or RRI-learned) route being added (confirmed by line 5) without any IPsec SAs actively present in the SADB (confirmed by lines 1013).

Example 6-7. Verifying RRI for Domain A: RRI with Static Crypto Maps on 2651XM-VPNA

2651XM-VPNA#debug crypto ipsec Crypto IPSEC debugging is on ! ! *Mar  3 08:16:13.962: IPSEC(rte_mgr): VPN Route Added 10.0.0.0 255.0.0.0 via 200.1.2.1 in   IP DEFAULT TABLE ! ! 2651XM-VPNA#sh ip route static S    10.0.0.0/8 [1/0] via 200.1.2.1 2651XM-VPNA#show crypto engine connections active  ID Interface            IP-Address      State  Algorithm          Encrypt Decrypt 2651XM-VPNA#


Example 6-8 shows the required configuration for RRI on C7206VXR-MAIN and the resulting output from the routing table that shows an RRI-injected route into cleartext domain D for cleartext domain A's routes upon successful negotiation of a Phase 2 SA between C7206VXR-MAIN and C2651XM-VPNA. Unlike static crypto maps, RRI with dynamic crypto maps will not inject routing information until a Phase 2 SA is negotiated. Initially, RRI is configured on C7206VXR-MAIN, but the crypto SADB and IP routing table are both empty, as confirmed by lines 14 and lines 5 and 6 of Example 6-8, respectively. When an IPsec SA is negotiated with 2651XM-VPNA (negotiation is also initiated by 2651XM-VPNA), C7206VXR-MAIN learns the tunnel termination endpoint to use on 2651XM-VPNA and which traffic to encrypt dynamically, as shown in lines 1419. Using this information, C7206VXR-MAIN uses RRI to inject a route into the routing table for cleartext routed domain D, as confirmed in lines 715 and in lines 20 and 21. Note that C7206VXR-MAIN has negotiated Phase 1 and Phase 2 SAs with 2651XM-VPNA, providing C7206VXR-MAIN with enough information to create a route for encrypted traffic using RRI. We can now verify that the VPN route appears in the routing table with the correct IP, subnet mask, and next hop, as shown in lines 20 and 21.

Caution

VPN routes injected by RRI appear as static routes and therefore will only exist in the routing table of the RRI-enabled IPsec VPN gateway without the aid of a selected routing protocol. To successfully propagate RRI-learned routes to the routing tables of all networked nodes participating in the routed domain, static routes must be redistributed into the chosen routing protocol.


Example 6-8. Verifying RRI for Domain A: DRI with Static Crypto Maps on C7206VXR-MAIN

C7206VXR-MAIN#sh crypto engine connections active  ID Interface            IP-Address      State  Algorithm           Encrypt Decrypt C7206VXR-MAIN#show ip route static C7206VXR-MAIN#debug crypto ipsec Crypto IPSEC debugging is on ! ! *Jul  4 11:38:13.296: IPSEC(rte_mgr): VPN Route Added 192.168.1.0 255.255.255.0 via   200.1.1.1 in IP DEFAULT TABLE with tag 0 ! ! C7206VXR-MAIN#sh crypto engine connections active         ID Interface      IP-Address      State  Algorithm           Encrypt     Decrypt    7 FastEthernet0/0      200.1.2.11      set    HMAC_SHA+3DES_56_C        0          0 2003 FastEthernet0/0       200.1.2.1      set    3DES+SHA                  0          4 2004 FastEthernet0/0       200.1.2.1      set    3DES+SHA                  4          0 C7206VXR-MAIN#show ip route static S    192.168.1.0/24 [1/0] via 200.1.1.1


Notice in Example 6-8 that C7206VXR only injects a route for 192.168.1.0/24 into cleartext routed domain D. This is because C2651XM-VPNB and C2651XM-VPNC have yet to negotiate Phase 2 SAs with C7206VXR-MAIN. Once this occurs, C7206VXR-MAIN will inject routes for cleartext routed domains B (192.168.2.0/24) and C (192.168.3.0/24).

Step 3: Active Router Failure

Once the IPsec VPN SAs are all established between the active HSRP router C7206VXR-MAIN and 2651XM-VPNA, 2651XM-VPNB, and 2651XM-VPNC, assume that C7206VXR-MAIN were to fail for some reason. In a nonredundant environment, all connectivity from cleartext domains A, B, and C to critical resources at cleartext domain D would be lost. Remember, though, that in this scenario, HSRP is used between C7206VXR-MAIN and C7206VXR-STANDBY and that C2651XM-VPNA, C2651XM-VPNB, and C2651XM-VPNC are using that HSRP virtual IP address to terminate their IPsec VPN sessions to cleartext routed domain D. When C7206VXR-MAIN fails, therefore, C7206VXR-STANDBY takes over as the VPN aggregator for inbound IPsec VPN tunnels initiated by C2651XM-VPNA, C2651XM-VPNB, and C2651XM-VPNC. Because C2651-VPNA, C2651-VPNB, and C2651-VPNC are configured to use the HSRP virtual IP address shared between C7206VXR-MAIN and C7206VXR-STANDBY, and because this address does not change during failover, there is no required reconfiguration on C2651XM-VPNA, C2651XM-VPNB, and C2651XM-VPNC in a failover scenario when using this type of HA design.

Step 4: HSRP Reconvergence

In a failover scenario, the reconvergence of this design depends heavily on HSRP, because HSRP must adequately fail over the virtual IP address from the active HSRP router to the standby HSRP router before any IPsec reconvergence processes can take place. HSRP reconvergence directly depends on the exchange of HSRP hellos between the active and standby routers. The active and standby routers both actively monitor the receipt of these hello messages (multicast destination address of 224.0.0.2) and measure them against a set of predefined timers:

  • Hello Timer The amount of time between transmissions of HSRP hello messages.

  • Hold Timer The amount of time elapsed between receipt of HSRP hello messages for a neighboring HSRP router (active or standby) to be considered down.

These timers, of course, can be changed to optimize convergence in a stateless IPsec HA scenario. Example 6-9 shows configuration changes on C7206VXR-MAIN and C7206VXR-STANDBY to decrease the amount of time it takes HSRP, and hence the amount of time it takes the system, to reconverge.

Example 6-9. HSRP Tuning Example for Optimal Stateless IPsec HA Reconvergence.

C7206VXR-MAIN# C7206VXR-MAIN(config)#interface fa0/0 C7206VXR-MAIN(config-if)#standby 1 timers msec 30 msec 100


Caution

Tuning HSRP timers for subsecond reconvergence upon failover greatly increases the amount of HSRP traffic on the subnet local to the routers in the HSRP group. Additionally, when timers are tuned for subsecond relay of HSRP hellos and holdtimes, delay between the peers on the same subnet could impact the timely processing of hellos, leading to inconsistent flux in HSRP states. Exercise caution when tuning HSRP timers this tightly in order to avoid inconsistencies in the behavior of the IPsec HA design, including potential unexpected failover due to successive missed HSRP hellos within a configure hold timer window.


Although HSRP timers can be tuned to trim seconds off of the overall delay in reconvergence of the IPsec tunnel itself, HSRP failover delay accounts for only part of the overall reconvergence. As we will discuss later, IPsec and ISAKMP both have elements contributing much more delay to the overall reconvergence than HSRP itself, such as transmission of IKE keepalives, among other things.

Step 5: IPsec Reconvergence

After HSRP successfully fails over from C7206VXR-MAIN to C7206VXR-STANDBY, an additional step of IPsec reconvergence must occur before data can successfully be passed between domain D and domains A, B, and C. This extra step in the reconvergence of the solution is a key characteristic of a stateless failover. Because C7206VXR-STANDBY does not have any awareness of the state of C7206VXR-MAIN's SADB, C7206VXR-STANDBY must therefore rebuild the ISAKMP and IPsec SAs in its own SADB after HSRP has reconverged.

Again, there is no manual intervention or configuration change required on any of the IPsec peers for this particular failover scenario to completeit is done dynamically once traffic is passed from C2651XM-VPNA, C2651XM-VPNB, and C2651XM-VPNC to C7206VXR-STANDBY. However, waiting for stale SAs to be torn down contributes more delay to the failover of a stateless HA solution than any other step in the process. The Cisco IOS default life of an ISAKMP SA is 24 hours, and the Cisco IOS default life of an IPsec SA is 1 hour. In an HA scenario, these SAs would need to be removed for new ones to be built with the redundant peer, leading to unacceptably long reconvergence times. At a minimum, IKE keepalives are required to identify stale SAs from a failover scenario and to remove them so that they can be replaced with new SAs with the redundant peer.

Tip

Even if IKE keepalives are used, the lowest configurable number in IOS is 10 seconds between keepalives, yielding a total failover delay attributable to stale SA teardown of approximately 30 seconds (3 keepalive intervals x 10s/keepalive interval).


Example 6-10 shows output from the SADB after a failure on C7206VXR-STANDBY and the reconvergence of HSRP and IPsec processes. Note that the peering and proxy fields in the SADB are identical to those listed in Example 6-6. With HSRP debugging enabled on C7206VXR-STANDBY, the administrator is able to diagnose the order of events when a failure occurs on C7206VXR-MAIN. The HSRP process begins with diagnostics confirming that C7206VXR-STANDBY has taken over active router responsibilities from 200.1.2.11 (C7206VXR-MAIN). The standby router is unknown, indicating that C7206VXR-STANDBY is taking over because of a physical interface failure on Fa0/0 of C7206VXR-MAIN, prohibiting it from sending or receiving HSRP hellos. The output in lines 59 confirms the transition of the redundancy group that the crypto process uses, "chap6-vpnha", from standby to active. This allows the local crypto process to bind IPsec and ISAKMP peering information to the virtual IP address rather than to the physical or loopback interface IP. The diagnostic output in line 11 confirms that C7206VXR-STANDBY's Fa0/0 interface is the current active HSRP interface for the group. Also confirmed in line 14 is the HSRP standby IP address that should be used by the redundancy group "chap6-vpnha" to populate local tunnel termination information in C7206VXR-STANDBY's SADB. Like C7206VXR-MAIN, C7206VXR-STANDBY is also configured to preemptively assume active router responsibilities when an HSRP priority change is sensed within the HSRP group, as shown in line 19. However, while C7206VXR-MAIN uses this information to reclaim the role of active router after a failure has been restored, C7206VXR-STANDBY will only preempt to take over when priority is decremented on C7206VXR-MAIN due to the failure of one of its tracked interfaces.

Example 6-10. C7206VXR-STANDBY IPsec SADB after HSRP Failover

C7206VXR-STANDBY#debug standby events HSRP Events debugging is on Jul 13 19:47:37.191: HSRP: Fa0/0 Grp 1 Active router is local, was 200.1.2.11 *Jul 13 19:47:37.191: HSRP: Fa0/0 Grp 1 Standby router is unknown, was local *Jul 13 19:47:37.191: HSRP: Fa0/0 Grp 1 Standby -> Active *Jul 13 19:47:37.191: %HSRP-6-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active *Jul 13 19:47:37.191: HSRP:  Fa0/0 Grp 1 Redundancy "chap6-vpnha"  state Standby -> Active *Jul 13 19:47:40.191: HSRP: Fa0/0 Grp 1 Redundancy group chap6-vpnha state Active -> Active *Jul 13 19:47:43.191: HSRP: Fa0/0 Grp 1 Redundancy group chap6-vpnha state Active -> Active C7206VXR-STANDBY#sh stand FastEthernet0/0 - Group 1  State is Active   14 state changes, last state change 00:00:41  Virtual IP address is 200.1.2.1  Active virtual MAC address is 0000.0c07.ac01   Local virtual MAC address is 0000.0c07.ac01 (V1 default)  Hello time 3 sec, hold time 10 sec   Next hello sent in 0.436 secs  Preemption enabled  Active router is local  Standby router is unknown  Priority 50 (configured 50) IP redundancy name is "chap6-vpnha" (cfgd)


Step 6: Post-HSRP RRI Execution

The final step in the reconvergence of the system is to propagate routes into the respective VPN domains. As IPsec VPN connections are built from VPN gateways C2651XM-VPNA, C2651XM-VPNB, and C2651XM-VPNC to C7206VXR-STANDBY and the SADBs are populated with the appropriate protected address scopes to be included in the crypto switching path, RRI injects routes into the appropriate cleartext routing domains. In this step, RRI on C7206VXR-STANDBY is executed in the same way that C7206VXR-MAIN executed RRI in Step 2 earlier in this process.




IPsec Virtual Private Network Fundamentals
IPSec Virtual Private Network Fundamentals
ISBN: 1587052075
EAN: 2147483647
Year: N/A
Pages: 113

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net