Summary

Previous page
Table of content
Next page

In this chapter, we discussed several key components that comprise a highly available IPsec VPN design. These components provide local IPsec HA in either of two design strategiesstateful or stateless IPsec HA designs.

Stateless IPsec VPN High Availability Design Summary

We reviewed several key concepts in this chapter relating to IPsec HA, including the difference between stateful and stateless redundancy schemes in the context of IPsec itself. Stateless IPsec HA refers to a method of delivering redundant IPsec VPN tunnels without replicating SADB state information in the SADB of a redundant IPsec tunnel termination point. Recall from our discussions of stateless IPsec HA that although there are many ways to design redundancy into an IPsec network, there are two broad categories of stateless IPsec VPN design:

  • Use of redundant paths (interfaces) for IPsec VPN tunnels

  • HSRP-based IPsec VPN tunnel termination

Path redundancy can be designed into an IPsec VPN quite easily through the use of redundant interfaces on a router or IPsec VPN gateway. As in most IPsec VPN designs, the reconvergence of this design relies most heavily on the reconvergence of the underlying RP upon failure. In this chapter, we discussed this implication and others involved in a redundant path HA design, including the setup and teardown of IPsec and ISAKMP SAs and the use of IKE keepalives in failover situations. We further discussed several ways to expedite the reconvergence of redundant interface IPsec VPNs, including the use of floating static routes to eliminate reconvergence delay due to RP updates and the use of highly available interfaces to eliminate reconvergence delay attributable to teardown and setup of IPsec and ISAKMP SAs (see Table 6-1 for a summary comparison of path redundant VPN designs and HSRP-based IPsec tunnel termination designs).

Table 6-1. Summary Design Considerations for Stateless IPsec HA

Design Consideration

Use of Redundant Paths and Interfaces

Stateless HSRP-Based IPsec Tunnel Termination

Cost

Maintenance of redundant paths can be costly, especially in WAN environments.

Relates directly to the number of routers in the HSRP group. As the number of routers increases, so do costs.

Availability

Path availability offers end-to-end redundancy; more comprehensive in eliminating single point of failure along the path. Availability of redundant interfaces limited to the same box presents single point of failure.

HA is increased at the termination endpoint level. All HSRP routers typically on the same network segment, limiting HA relative to path redundancy. Path redundancy can be designed into HSRP-based HA designs beyond the HSRP group's local network.

Overhead

IKE keepalives; maintenance of redundant tunnel. SADB increases as number of redundant sessions increases.

HSRP hellos on the local HSRP group segment. Can be significant if using subsecond HSRP reconvergence within the HSRP group.

Reconvergence Delay: Phase 1 & 2 SA Maintenance

Stale SAs become a risk in redundant path schemesuse of IKE keepalives is recommended. Reconvergence delay attributable to setup and teardown of SAs can be immunized or eliminated by using highly available interfaces for IPsec tunnel origination and termination.

Stateless HSRP-based tunnel termination requires teardown of SAs using IKE keepalives and regeneration of new SAs when the standby router takes over as active during a failover scenario.

Reconvergence Delay: Redundancy Protocols

Nonedesign relies strictly on the availability of the redundant path and the stability of the underlying routing protocol.

HSRP must reconverge before IPsec can reconverge. Note that although HSRP can be tuned for subsecond failover, it is recommended that care be taken when tuning HSRP timers that tightly.

Reconvergence Delay: Routing Protocols

Design depends heavily on RP reconvergence. When RP scalability and management are not a concern, use of floating static routes can be configured to decrease failover delay attributable to RP reconvergence.

HSRP virtual interfaces must be routable and reachable by their remote peers, but this design minimizes impact due to RP failures.


We also discussed the benefits of stateless IPsec High Availability when terminating IPsec VPN tunnels on HSRP virtual interfaces without the synchronization of IKE and IPsec SADB states between active and redundant IPsec gateways prior to the experience of a reconvergence event. Stateless IPsec HA solutions provide High Availability at the platform level through leveraging the use of HSRP, rather than at the interface level. Stateless IPsec HA solutions therefore add an additional level of resiliency to the system over and beyond the level of resiliency provided by a single IPsec VPN gateway with redundant interfaces. Stateless HA designs such as these are somewhat hardened against RP failovers. There are, however, other elements of this design that contribute to increased failover delays, the most critical of which is the setup and teardown of Phase 1 and Phase 2 SAs using IKE keepalives. Recall from our discussions that IKE keepalives are a requirement for this type of stateless design and that, although they do decrease the timeout of a given Phase 1 SA from 24 hours to about 30 seconds and of a given Phase 2 SA from 1 hour to about 30 seconds, there are still methods that can be deployed to eliminate this contribution to failover delay altogether. Table 6-1 shows a summary comparison of IPsec HA using redundant interfaces and paths, and stateless HSRP-based IPsec tunnel termination using select design and deployment considerations.

Stateful IPsec VPN High Availability Design Summary

Stateful IPsec tunnel termination on virtual interface using SSO is the only local site-to-site HA method discussed in this chapter. Stateful IPsec HA aids the reconvergence of IPsec tunnels in a failover scenario, because the SADB state information on the primary peer is proactively relayed to the redundant peer prior to failover. The two peers use SSO to relay the information and use HSRP to provide a redundant point of origination and termination of the IPsec tunnel itself.

Instead of providing a variety of design benefits over stateless HA methods, stateful HA provides one major advantageminimal reconvergence delay. This is achieved by eliminating the teardown and setup of Phase 1 and Phase 2 SAs. Recall from our previous discussions of stateless IPsec HA that Phase 1 and Phase 2 SAs must be reaped and rebuilt when a failover situation occurs. This is not the case with stateful HA. Recall also that three IKE keepalives must be missed for the SAs to be reaped, and that, at a minimum, those keepalive intervals are set to occur every 10 seconds. This contributes at least 30 seconds of failover delay to the stateless solution, enough delay to cause many business-critical, time-sensitive applications to fail when the IPsec tunnel fails over.

Stateful designs eliminate the 30 seconds of failover delay. Instead, stateful IPsec failover delay is attributable only to RP reconvergence and HSRP reconvergence (which can be configured for subsecond failover). For this reason, stateful failover designs are ideally suited for IPsec deployments where HA is required at the tunnel termination point and business-critical, time-sensitive applications require rapid IPsec VPN reconvergence.



Previous page
Table of content
Next page
IPsec Virtual Private Network Fundamentals
IPSec Virtual Private Network Fundamentals
ISBN: 1587052075
EAN: 2147483647
Year: N/A
Pages: 113
Authors: James Henry Carmouche
BUY ON AMAZON
Java for RPG Programmers, 2nd Edition
The Complete Cisco VPN Configuration Guide
C++ How to Program (5th Edition)
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
Quantitative Methods in Project Management
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy