IPsec RAVPN Concentrator HA can be achieved using a virtual interface protocol such as Hot Standby Router Protocol (HSRP) or Virtual Router Redundancy Protocol (VRRP). Using HSRP or VRRP, many VPN concentrators can be made to appear as a single IPsec peer to the IPsec clients. Should a VPN concentrator in the HSRP or VRRP peer group fail, the use of a virtual interface provides resiliency to the client, enabling the client to fail its IPsec session over to another concentrator participating in the HSRP or VRRP group. In this section, we will explore several tasks to consider when selecting virtual interfaces as the RAVPN design option for RAVPN HA. IPsec RAVPN Concentrator High Availability Using VRRPVRRP is a standards-based protocol enabling multiple interfaces on different IP routers (or in this case, RAVPN concentrators) to appear as a single virtual router interface. RFC 3768 defines VRRP as an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. Tip For more information on VRRP and its many uses, please refer to the following sources of information: http://www.ietf.org/rfc/rfc3768.txt http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2284/products_tech_note09186a0080094490.shtml In RAVPN environments, this VRRP LAN is typically a network segment attached to a firewall DMZ interface on the enterprise Internet edge. Multiple VPN concentrators will be attached to the DMZ LAN, each with their own unique physical interface IP in the VRRP group. These physical interfaces will all appear to the IPsec VPN clients as a VRRP virtual router interface. As such, the clients will need only one peer definition (the VRRP router interface) to take full advantage of the redundancy provided by having multiple concentrators in the enterprise Internet edge demilitarized zone (DMZ). Figure 9-1 illustrates an enterprise RAVPN deployment in which a cluster of three VPN concentrators is deployed in a dual-DMZ firewall design at the Internet edge. Figure 9-1. Dual-DMZ VPN Concentrator Design with VRRP-Based HAThe VPN3000 concentrator configuration for IPsec, Internet Security Association and Key Management Protocol (ISAKMP), and Group/User Management is illustrated in Figures 9-2 through 9-10. Remote access VPN tunnels are typically authenticated with IKE X-Auth for per-user SA authentication granularity. Authentication using IKE X-Auth requires that a Phase 1 SA be temporarily authenticated pending successful authentication with Internet Key Exchange (IKE) X-Auth in "Phase 1.5." The IPsec group password is used to provide the temporary authentication of the Phase 1 SA. Configuration of the RAVPN group and password on the VPN3000 is illustrated in Figure 9-2. Figure 9-2. VPN3000 IPsec Group and Password ConfigurationFigure 9-3 illustrates the following parameters that can be assigned to a given IPsec VPN client during IKE Mode config. In Figure 9-3, a VPN3000 concentrator is instructed to assign clients a DNS server of 200.1.1.17 and an IP address from the range of 192.168.0.0 to its clients. Also note that, in this configuration, SEP cards 1-4 are actively participating in the acceleration of IPsec on the concentrator for this group. Figure 9-3. VPN3000 General Configuration (Client SEP Card, DHCP/Address Scope, and DNS Server Assignment)Figure 9-4 illustrates the IPsec configuration for this group, including the transform (Encapsulating Security Payload (ESP) 3DES with MD5 Hash-based Message Authentication Code (HMAC) Authentication) and the tunnel type (Remote Access). Figure 9-4. VPN3000 Group IPsec and ISAKMP ConfigurationIKE mode config can be used to assign additional parameters, such as the IP subnet mask, client banner, split tunnel policy, and NAT-T policy. Figure 9-5 illustrates the configuration of these parameters for assignment to the client via IKE mode config. Figure 9-5. VPN3000 Client Configuration (Banner, NAT-T Policy, Subnet Mask Assignment, IPsec Split Tunnel Policy)There are many different methods to assign a client an IP address, as illustrated in Figure 9-6. In this chapter, we will assign IPsec VPN clients an IP address from an address pool defined locally on the IPsec VPN concentrator using IKE mode config. Figure 9-6 illustrates the corresponding configuration on the VPN3000 concentrator. Figure 9-6. Defining Address Assignment Methods on the VPN3000Figure 9-7 illustrates the configuration of the appropriate address pool corresponding to the defined address assignment method displayed in Figure 9-6. Figure 9-7. Assigning Client Addresses from Defined IP Address Pool on the VPN3000 ConcentratorAs we had discussed previously in Figure 9-4, Phase 1 SA authentication can be done with peruser granularity when IKE x-Auth is used. Figure 9-4 provides us with the appropriate group and password configuration for IKE Phase 1 authentication, and Figure 9-8 provides us with an example of user and password credentials that will be validated with x-Auth in "Phase 1.5" negotiation. In this case, we are using the VPN3000 itself as the user database for x-Auth. However, the VPN3000 can also be configured to authenticate user credentials supplied via x-Auth using an external RADIUS database. Figure 9-8. Creating VPN3000 Internal User Database Accounts for Authentication and Authorization with IKE X-AuthFigure 9-9 illustrates the configuration of general RAVPN user authentication and authorization parameters for a given user account on the VPN3000. In this case, any four of the available SEP modules are available for processing the termination of this user's IPsec VPN tunnel. IPsec is the only tunneling protocol configured for this client to use on this particular VPN concentrator. Figure 9-9. VPN3000 Configuration for General RAVPN User Authentication and Authorization Policies with IKE X-AuthIPsec transform sets can be configured on a per-user basis. Figure 9-10 illustrates the appropriate IPsec transform configuration at the user level. Figure 9-10. Defining Per-User Allowed IPsec Transform Polices with IKE X-Auth on VPN3000 ConcentratorsThe VPN3000 concentrator must be configured with the appropriate routing protocol information in order for transparent IP connectivity to be maintained from IPsec RAVPN clients to enterprise resources located within the IPsec VPN concentrator's private network. The VPN3000 can support multiple means by which to achieve this:
In this example, we will explore the design option of using a combination of static default routing to the public network, with more specific IP subnets learned via OSPF from the enterprise network on the VPN3000 concentrator's private interface. Samples of the required configuration can be found in Figures 9-11 through 9-14. Figure 9-11. VPN3000 Static Default RoutingThe VPN3000 in this example uses OSPF to route traffic out of its private interface to the enterprise's corporate network. Figure 9-12 provides the appropriate routing configuration on the VPN3000, including OSPF area configuration and other area-level configuration parameters. Figure 9-12. VPN3000 OSPF Routing ConfigurationFigure 9-13 provides the interface-level configuration of the VPN3000's private interface, including IP address, administrative state (up/down), speed, duplex, and maximum transmission unit (MTU). Figure 9-13. VPN3000 Private Interface ConfigurationFigure 9-14 provides the interface-level configuration of the VPN3000's public interface, including IP address, administrative state (up/down), speed, duplex, and MTU. Figure 9-14. VPN3000 Public Interface ConfigurationNote Cisco VPN3000 concentrators and ASA5500 Series VPN appliances do not support HSRP. VRRP is the only virtual router protocol for first-hop redundancy supported by the VPN3000 series VPN concentrators. Routing platforms running Cisco IOS support HSRP-based RAVPN HA, as discussed later in this chapter. In the RAVPN HA design of Figure 9-1, network architects have elected to use VRRP-based tunnel termination for high availability. Concentrators VPN3060-A, B, and C all have public interfaces on the outside DMZ that are configured in the same VRRP group. Initially, VPN3060-A is configured as the VRRP "Master" (it has the highest configured VRRP priority in the group). As the master, VPN3060-A is responsible for sending multicast keepalive polls to the other concentrators in the VRRP group using the link local multicast IP address of 224.0.0.18. If one or both of the other concentrators does not see a configurable amount of keepalives in their corresponding timed intervals, the remaining concentrators in the VRRP group will undergo an election to assume the role as the VRRP master router. This process allows for resiliency in the concentrator cluster design, as illustrated in the following failures scenario for VPN3060-A in Figure 9-1:
Figure 9-15 illustrates the VRRP required on all VPN concentrators in the network topology illustrated in Figure 9-1. Figure 9-15. VPN3000 VRRP-Based IPsec RAVPN HA ConfigurationIt is critically important to consider that, in the above RAVPN design, there is no dynamic communication of IPsec configuration or state between the Master VRRP concentrator and its backup VRRP concentrators. As such, on Cisco ASA5500 and VPN3000 series IPsec VPN concentrators, VRRP-based HA options are considered to be stateless. In a VRRP-based RAVPN HA design, the master and backup concentrators must have identical IPsec and ISAKMP settings, so that clients are able to use any concentrator that happens to be the VRRP master at any given point in time. Inconsistencies in these configuration settings can lead to inconsistent success in IPsec VPN tunnel negotiation across the cluster, as some concentrators will be appropriately configured to successfully terminate inbound IPsec VPN tunnels from VPN clients, while others will not. Tip IOS IPsec features can be configured to support HSRP-based termination of IPsec VPN tunnels in a stateful manner between two IOS-based IPsec VPN concentrators (routers configured for RAVPN). Chapter 6 covers the comparison of stateless vs. stateful IPsec VPN tunnel termination in greater detail. Additionally the network design illustrated in Figure 9-1 requires that all of the VPN clients use the same VRRP Virtual Router IP address for IPsec peering to the concentrator cluster. While this does provision for high availability in the concentrator cluster, it does not provision for session load balancing. We will discuss how IPsec session load balancing can be achieved in highly available RAVPN implementations using Virtual Clustering later in this chapter. In this section, we've discussed how VRRP can be used for VPN Concentrator High Availability. The concepts of RAVPN HA discussed above are all stateless in nature, meaning that, when VPN clients successfully negotiate IPsec VPN tunnels with the concentrator, this state is not communicated to the backup concentrators in the cluster. As such, when a failover occurs on a VPN concentrator terminating IPsec VPN sessions for multiple IPsec VPN clients, these clients must renegotiate Phase 1 and 2 SAs with the backup IPsec VPN concentrator. In the following section, we will explore a stateful RAVPN HA design using Cisco IOS-based RAVPN concentrators that enables us to avoid the renegotiation of Phase 1 and 2 SAs with the backup VPN concentrators when a failure occurs on master VPN concentrator. IPsec RAVPN Concentrator HA Using HSRPHSRP operates in a similar fashion to VRRP. HSRP can therefore be used in a similar fashion to VRRP to provide IPsec Local HA. Thus far, we've discussed design options for providing stateless IPsec RAVPN HA in a VPN concentrator cluster design using VRRP. With Cisco IOS, the same design principals of a stateless RAVPN HA concentrator cluster design can be extended to incorporate stateful failover across different concentrators in a given cluster. This section discusses an IOS-based concentrator design that uses HSRP for stateful RAVPN high availability. In RAVPN concentrator cluster designs, HSRP provides high availability in a fashion similar to VRRP by electing an "active" (equivalent to the VRRP "master" concentrator) concentrator that is responsible for the forwarding of all traffic and session termination from all clients in the HSRP group. The other concentrators in the HSRP group are "standby" (equivalent to VRRP "backup" concentrators) until they assume active responsibilities due to a change in the network. Like VRRP, the HSRP active router sends periodic status messages to other concentrators in the HSRP group using a link local multicast address (HSRP=224.0.0.2, VRRP=224.0.0.18). If one or more concentrators in the HSRP group does not receive an HSRP status message within a configurable amount of timed windows, the standby concentrators then undergo an election to determine the new active HSRP concentrator/router. Like VRRP, the HSRP concentrator with the highest priority will assume the role of "active" and responsibilities for forwarding all traffic and terminating all inbound IPsec sessions for the HSRP group. Tip For more information on HSRP and its many uses, please refer to the following sources of information: http://www.ietf.org/rfc/rfc2281.txt http://www.cisco.com/en/US/partner/tech/tk648/tk362/tk321/tsd_technology_support_sub-protocol_home.html The solution for RAVPN HA discussed in this section is not primarily differentiated by the use of HSRP over VRRP. Instead, the key difference in this design is that it is stateful instead of stateless. Figure 9-16 presents a design with IOS-based VPN concentrators to deliver stateful failover across the different concentrators in the cluster. Figure 9-16. Dual-DMZ IOS-Based Concentrator Design with HSRP-Based Stateful HA.The following illustrates the HSRP-based stateful failover process for the topology depicted in Figure 9-16:
The design process described above effectively increases HA baselined in the VRRP-based dual-DMZ concentrator design of Figure 9-1, but provides little in the way of session load balancing across the concentrators in the cluster in active/active/active scenarios. When deploying this design, administrators face the same load-balancing challenges faced in our discussion of VRRP-based RAVPN HA concentrator cluster deployment. The stateful design described in this section can leverage the use of multiple HSRP groups to load balance across the VPN routers VPN7301-A, B, and C when all three routers in the cluster are active. Example 9-1 illustrates the configuration of the VPN routers VPN7301-A, B, and C for RAVPN IPsec session concentration using HSRP for stateful IPsec HA. In order to support IPsec stateful HA, VPN7301-A is configured to preemptively communicate the state of the SADB using SSO to VPN7301-B and C using the redundancy scheme "chap9-stateful" as shown in lines 8 and 9 of Example 9-1. Proactive communication of the IPsec SADB state to redundant IPsec gateways is accomplished with the SSO configurations in lines 11-22. The crypto engine is then instructed to use this SSO stateful failover configuration during the application of the crypto map in line 56. In addition to these SSO-specific configuration elements required for stateful failover, VPN7301-A's configuration has several elements required for RAVPN Termination, described in the following bulleted list:
Example 9-1. VPN7301A Stateful IPsec RAVPN HA Configuration
Note VPN7301-B and C are configured in a similar manner to VPN7301-A. They use the same radius server and key and the same HSRP standby address among other similarities. Additionally, the IPsec and ISAKMP configurations are identical between VPN7301-A, B, and C. The main differences on VPN7301-B and C are:
At this point, we've explored both stateful and stateless RAVPN HA designs, illustrating how system reconvergence can be expedited through the proactive communication of SADB state from the active concentrator (active router in the HSRP group) to the backup concentrators (standby routers in the HSRP group) resulting in a seamless failover from the VPN client's perspective (no renegotiation of IKE Phase 1 or 2 SAs). However, stateful and stateless IPsec VPN designs share one common design limitationneither provide for IPsec session load balancing, as all IPsec VPN client connections are terminated on the active HSRP (or master VRRP) router or concentrator in the concentrator cluster. Cisco VPN concentrators support dynamic per-session load balancing across the different concentrators in the cluster using Virtual Cluster Agent (VCA), which we will discuss in the following section. |