Chapter 9. Solutions for Remote-Access VPN High Availability

As workforces become more virtualized and mobile, the growth in Remote-Access Virtual Private Network (RAVPN) deployments increases, which also drives the need for IPsec High Availability (HA) in RAVPN deployments. RAVPN deployments enable employees to securely access centralized corporate resources from any location with access to the Internet. Greater productivity and efficiency is therefore enabled for sales, marketing, consulting, and any other field employee in the enterprise's mobile workforce. In this chapter, we will expand on the Remote Access VPN design introduction provided in Chapter 3, "Basic IPsec VPN Topologies and Configurations," while examining several different approaches to building high-availability and load balancing in Remote Access VPN designs.

RAVPNs typically refer to topologies in which remote users establish a secure tunnel from a remote location using either a piece of client software on their laptop or a small hardware-based client at a home office or other small remote location. Although the secure tunneling requirement of an RAVPN can come in many different flavors such as L2TP and PPTP, our discussions in this chapter will be based on IPsec-based RAVPNs.

IPsec-based RAVPNs are composed of two key components: a VPN client and a VPN concentrator. To complete the RAVPN, the VPN client (whether software or hardware based) must negotiate an IPsec VPN tunnel over an IP transport (in the case of RAVPN, this IP transport is the Internet) to the VPN concentrator. In an IPsec RAVPN, the client-side network of the tunnel is typically very small, and in many cases is limited only to a single user's laptop. As such, there is little need for high-availability specific to the client in an RAVPN implementation.

Note

When there are significant resources on the client-side private network of the RAVPN, network architects should consider migrating the design of the remote network to a small branch site-to-site IPsec VPN deployment. For more on site-to-site IPsec VPN HA, refer to Chapter 6, "Solutions for Local Site-to-Site High Availability," and Chapter 7, "Solutions for Geographic Site-to-Site High Availability."

Unlike the client side of an RAVPN tunnel, the need for high-availability on the concentrator side becomes critical depending on the number of IPsec RAVPN clients the network must support. For organizations with large mobile workforces, often IPsec VPN clients are enabled on all corporate IT supported laptops, resulting in potentially thousands of tunnels to the corporate network at any given time. The VPN concentrator provides the tunnel termination point for these thousands of users, and, as such, must be deployed in a highly scalable and highly available fashion.

In this chapter, we will apply the Local and Geographic HA concepts discussed in Chapters 6 and 7 to RAVPN implementations as we explore highly resilient, scalable, and available IPsec VPN concentrator deployments targeted at supporting large numbers of IPsec VPN tunnels from clients:

• VPN Termination with Virtual Router Redundancy Protocol (IOS or VPN3000 Concentrators)

• VPN Termination with Hot Standby Routing Protocol (ASA5500 or IOS Concentrators only)

• Clustering using VPN3000 Virtual Clustering Agents (ASA5500 Appliances and VPN3000 Concentrators only)

After exploring the design concepts to be evaluated for optimizing local HA in concentrator deployments, we will evaluate Geographic HA design options for optimizing availability of client access to the concentrator cluster:

• DNS-based Session Load Balancing on Clustered Concentrators

• Multiple Peer Definitions on the VPN Client Profile