In this chapter, we discussed several key components that comprise a highly available IPsec VPN design. These components provide local IPsec HA in either of two design strategiesstateful or stateless IPsec HA designs. Stateless IPsec VPN High Availability Design SummaryWe reviewed several key concepts in this chapter relating to IPsec HA, including the difference between stateful and stateless redundancy schemes in the context of IPsec itself. Stateless IPsec HA refers to a method of delivering redundant IPsec VPN tunnels without replicating SADB state information in the SADB of a redundant IPsec tunnel termination point. Recall from our discussions of stateless IPsec HA that although there are many ways to design redundancy into an IPsec network, there are two broad categories of stateless IPsec VPN design:
Path redundancy can be designed into an IPsec VPN quite easily through the use of redundant interfaces on a router or IPsec VPN gateway. As in most IPsec VPN designs, the reconvergence of this design relies most heavily on the reconvergence of the underlying RP upon failure. In this chapter, we discussed this implication and others involved in a redundant path HA design, including the setup and teardown of IPsec and ISAKMP SAs and the use of IKE keepalives in failover situations. We further discussed several ways to expedite the reconvergence of redundant interface IPsec VPNs, including the use of floating static routes to eliminate reconvergence delay due to RP updates and the use of highly available interfaces to eliminate reconvergence delay attributable to teardown and setup of IPsec and ISAKMP SAs (see Table 6-1 for a summary comparison of path redundant VPN designs and HSRP-based IPsec tunnel termination designs).
We also discussed the benefits of stateless IPsec High Availability when terminating IPsec VPN tunnels on HSRP virtual interfaces without the synchronization of IKE and IPsec SADB states between active and redundant IPsec gateways prior to the experience of a reconvergence event. Stateless IPsec HA solutions provide High Availability at the platform level through leveraging the use of HSRP, rather than at the interface level. Stateless IPsec HA solutions therefore add an additional level of resiliency to the system over and beyond the level of resiliency provided by a single IPsec VPN gateway with redundant interfaces. Stateless HA designs such as these are somewhat hardened against RP failovers. There are, however, other elements of this design that contribute to increased failover delays, the most critical of which is the setup and teardown of Phase 1 and Phase 2 SAs using IKE keepalives. Recall from our discussions that IKE keepalives are a requirement for this type of stateless design and that, although they do decrease the timeout of a given Phase 1 SA from 24 hours to about 30 seconds and of a given Phase 2 SA from 1 hour to about 30 seconds, there are still methods that can be deployed to eliminate this contribution to failover delay altogether. Table 6-1 shows a summary comparison of IPsec HA using redundant interfaces and paths, and stateless HSRP-based IPsec tunnel termination using select design and deployment considerations. Stateful IPsec VPN High Availability Design SummaryStateful IPsec tunnel termination on virtual interface using SSO is the only local site-to-site HA method discussed in this chapter. Stateful IPsec HA aids the reconvergence of IPsec tunnels in a failover scenario, because the SADB state information on the primary peer is proactively relayed to the redundant peer prior to failover. The two peers use SSO to relay the information and use HSRP to provide a redundant point of origination and termination of the IPsec tunnel itself. Instead of providing a variety of design benefits over stateless HA methods, stateful HA provides one major advantageminimal reconvergence delay. This is achieved by eliminating the teardown and setup of Phase 1 and Phase 2 SAs. Recall from our previous discussions of stateless IPsec HA that Phase 1 and Phase 2 SAs must be reaped and rebuilt when a failover situation occurs. This is not the case with stateful HA. Recall also that three IKE keepalives must be missed for the SAs to be reaped, and that, at a minimum, those keepalive intervals are set to occur every 10 seconds. This contributes at least 30 seconds of failover delay to the stateless solution, enough delay to cause many business-critical, time-sensitive applications to fail when the IPsec tunnel fails over. Stateful designs eliminate the 30 seconds of failover delay. Instead, stateful IPsec failover delay is attributable only to RP reconvergence and HSRP reconvergence (which can be configured for subsecond failover). For this reason, stateful failover designs are ideally suited for IPsec deployments where HA is required at the tunnel termination point and business-critical, time-sensitive applications require rapid IPsec VPN reconvergence. |