Multi- Site Dual ISP Redundant Site- to- Site VPN with OSPF Failover

Similar documents
Using IPsec VPN to provide communication between offices

Network/VPN Overlap How-To with SonicOS 2.0 Enhanced Updated 9/26/03 SonicWALL,Inc.

Configuring Dual VPNs with Dual ISP Links Using ECMP Tech Note PAN-OS 7.0

Understanding Route Redistribution & Filtering

Route Based Virtual Private Network

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

How to Configure BGP Tech Note

VPN Configuration Guide. Linksys (Belkin) LRT214 / LRT224 Gigabit VPN Router

Quick Note 20. Configuring a GRE tunnel over an IPSec tunnel and using BGP to propagate routing information. (GRE over IPSec with BGP)

Understanding Virtual Router and Virtual Systems

Configuring a VPN for Dynamic IP Address Connections

Setting up VPN Access for Remote Diagnostics Support

ZyWALL USG-Series. How to setup a Site-to-site VPN connection between two ZyWALL USG series.

Cisco - Configure the 1721 Router for VLANs Using a Switch Module (WIC-4ESW)

High Availability Failover Optimization Tuning HA Timers PAN-OS 6.0.0

UTM - VPN: Configuring a Site to Site VPN Policy using Main Mode (Static IP address on both sites) i...

7. Configuring IPSec VPNs

VPN Configuration Guide D-Link DFL-800

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

High Availability. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

VPN Configuration Guide D-Link DFL-200

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Networking. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

VPN Configuration Guide LANCOM

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

IPsec VPN Application Guide REV:

VPN Configuration of ProSafe Client and Netgear ProSafe Router:

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Configuring the BIG-IP and Check Point VPN-1 /FireWall-1

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

VPN Configuration Guide. ZyWALL USG Series / ZyWALL 1050

Configuring a WatchGuard SOHO to SOHO IPSec Tunnel

VPN Configuration Guide Netgear FVS338 / FVX538 / FVS124G

Configuring the PIX Firewall with PDM

Best Practices: Pass-Through w/bypass (Bridge Mode)

IP-6600 Router Configuration Quickstart Backing Up a Broadband Connection with Dialup

VPN Solution Guide Peplink Balance Series. Peplink Balance. VPN Solution Guide Copyright 2015 Peplink

Configuration Example

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Configuration Example

How To Manage Outgoing Traffic On Fireware Xtm

How To - Setup Cyberoam VPN Client to connect to a Cyberoam for the remote access using preshared key

Chapter 10 Troubleshooting

VPN Configuration Guide. Cisco Small Business (Linksys) RV016 / RV042 / RV082

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

How to access peers with different VPN through IPSec. Tunnel

A Case Study Design of Border Gateway Routing Protocol Using Simulation Technologies

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Creating a VPN with overlapping subnets

21.4 Network Address Translation (NAT) NAT concept

Application Notes for Configuring a SonicWALL VPN with an Avaya IP Telephony Infrastructure - Issue 1.0

TechNote. Configuring SonicOS for Amazon VPC

IOS NAT Load Balancing with Optimized Edge Routing for Two Internet Connections

Based on the VoIP Example 1(Basic Configuration and Registration), we will introduce how to dial the VoIP call through an encrypted VPN tunnel.

Link-State Routing Protocols

VPN Configuration Guide Linksys RV042/RV082

How To Setup Cyberoam VPN Client to connect a Cyberoam for remote access using preshared key

Balancing and Gateway Failover

Configuring a Gateway of Last Resort Using IP Commands

DFL-210/260, DFL-800/860, DFL-1600/2500 How to setup IPSec VPN connection

Layer 3 Routing User s Manual

Abstract. Avaya Solution & Interoperability Test Lab

VPN Configuration Guide. Cisco Small Business (Linksys) WRV210

Virtual Data Centre. User Guide

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Wave SIP Trunk Configuration Guide FOR BROADVOX

Chapter 5 Virtual Private Networking Using IPsec

VPN Configuration Guide. Juniper Networks NetScreen / SSG / ISG Series

Clustering. Configuration Guide IPSO 6.2

How To Establish IPSec VPN between Cyberoam and Microsoft Azure

Configure IPSec VPN Tunnels With the Wizard

How To Establish Site-to-Site VPN Connection. using Preshared Key. Applicable Version: onwards. Overview. Scenario. Site A Configuration

Configuring IPsec VPN between a FortiGate and Microsoft Azure

Configuring H.323 over Port Network Address Translation (PNAT) for Avaya IP Endpoints using the Avaya SG200 Security Gateway - Issue 1.

Scenario 1: One-pair VPN Trunk

VPN Tracker for Mac OS X

Packet Tracer 3 Lab VLSM 2 Solution

ASA/PIX: Load balancing between two ISP - options

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

How To Configure An Ipsec Tunnel On A Network With A Network Gateways (Dfl-800) On A Pnet 2.5V2.5 (Dlf-600) On An Ipse Vpn

Network/Floating License Installation Instructions

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

H3C SSL VPN RADIUS Authentication Configuration Example

VPN Configuration Guide DrayTek Vigor / VigorPro

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Configuring High Availability for Embedded NGX Gateways in SmartCenter

Chapter 4. Distance Vector Routing Protocols

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Katana Client to Linksys VPN Gateway

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Interconnecting Cisco Networking Devices Part 2

VPNC Interoperability Profile

RouteFinder. IPSec VPN Client. Setup Examples. Reference Guide. Internet Security Appliance

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

CCNP SWITCH: Implementing High Availability and Redundancy in a Campus Network

High Availability Branch Office VPN

Transcription:

Multi- Site Dual ISP Redundant Site- to- Site VPN with OSPF Failover By Mike Lutgen January 2016 This document covers the configuration of a multi- site VPN scenario with dual ISPs and quadruple VPN tunnels at each site. This scenario has three sites, two remote branches and one main site. Each location has two ISP connections, the remote branches do not connect directly to each other, only to the main site but with a full mesh configuration (4 tunnels per remote site). This design will support the loss of a single connection at all of the three sites concurrently while maintaining full connectivity. To get started, the below is a quick (albeit messy) diagram of the scenario network. The black lines represent physical ISP connections, the red lines represent VPN tunnels from the main site s primary ISP connection and the yellow lines represent VPN tunnels from the main site s secondary ISP connection. Below the diagram there is a layout of each of the VPN tunnels with addressing. The addressing at either end of the line is the physical interface addressing on the firewalls and the the addressing below each of the lines at either end represent the addresses on the tunnel interfaces on each end of the VPN tunnel. Each of the ISP connections have a separate address range in the 10.75.200.x to 10.75.205.x range, this is to best simulate a true distributed environment with completely separate address ranges. Also the tunnel interfaces utilize a /30 subnet, this is because there will never be more than two tunnel interfaces as a part of a single VPN tunnel so there is no need to waste addresses by using a larger subnet. This guide assumes that the ISP connections at each site are alive and routing correctly.

To begin, create the tunnel interfaces on each of the firewalls (Network- >Interfaces- >Tunnel), assign the appropriate IP addressing to each of them and add them to the appropriate zones. Keep in mind that the tunnel interface addressing must match on either side of the tunnel so keep track of which interfaces have which addresses assigned (easiest to just go in order). In this scenario they will all be added to a single zone called vpn ; this is a generally insecure method (as intra- zone traffic is permitted by default). This configuration is only recommended

as an initial setup measure to verify traffic is passing correctly before imposing security restrictions on it. Don t worry about assigning a Virtual router to these interfaces yet. In this scenario each remote site will have 4 tunnel interfaces because there will be a total of 4 tunnels built and the main site will have 8 tunnel interfaces because it will have 8 tunnels. Next move to IPSec Tunnels, (Network- >IPSec Tunnels) there will be 4 tunnels for each remote site and 8 at the main site. Give each tunnel a name, specify the tunnel interface to be used for that tunnel and in the drop- down for IKE Gateway click the link to create a new IKE Gateway.

In the new IKE Gateway window specify the name, the physical interface this tunnel will be tied to, select the IP address in the drop- down (optional if only a single IP address is assigned to that interface), and specify the peer address and pre- shared key for this tunnel. After clicking OK on the IKE Gateway creation window, select that newly created IKE Gateway from the drop- down back in the IPSec Tunnel creation window, then check the box for Tunnel Monitor, specify the IP address for the tunnel interface on the other side of this tunnel (the tunnel interface s address on the peer side), and select the default Monitor profile (this will be adjusted later, create a unique Monitor Profile right away if desired). Do not specify any Proxy IDs, leave everything on that tab blank. Each of these tunnels will remain red (down) until the configuration is completed and committed on both of the peers. Now move to Virtual Routers, every site will have 3 virtual routers (no matter the number of tunnels); one for each ISP and one for all other interfaces. The reason for this is that in order to communicate each ISP connection will need a next- hop. Multiple default gateway routes in a single virtual router will not accomplish this and traffic originating from the firewall does not follow Policy- Based Forwarding rules. Create each of the ISP virtual routers, add the physical interface of the firewall that is connected to that ISP and in static routes add a default route for that ISPs next hop.

After that, create the third virtual router and add all other interfaces to this one, including all tunnel interfaces. If local internet access is desired at that site, add a default route pointing to the virtual router of the primary ISP as the next hop. Then move to Redistribution Profile and click Add. Name it, set priority (1), select Connect, and then add all connected interfaces that should have their directly connected address ranges advertised through OSPF to the other locations. Optionally create a secondary redistribution profile with a priority of 2 selecting Static and specifying static routes you d like to redistribute to other locations in the middle column (under Destination).

Switch to the OSPF tab and click the selection box to enable OSPF and give a router ID. (Note: this is NOT an IP address, though it is specified by 4 octets separated by periods just like an IP address; generally using the IP address of the device can simplify troubleshooting) Click Add to add an OSPF area, give it an area ID (for most small environments area 0.0.0.0 will work perfectly fine) and click on the Interface tab. Add each of the tunnel interfaces here, accepting all of the default values except for the Link Type, specify p2p for this. Toward the end of this document tuning operations are covered to adjust these timers for faster failover times.

Once all tunnel interfaces are added click OK to return to the Virtual Router window on the OSPF tab. Click the Export Rules tab and Add the export rule previously created to advertise all connected subnets out as an Ext- 1 type and optionally specify a metric for it (if no metric is specified it will use the virtual router s default metric). (If a secondary redistribution profile was created to advertise static routes, also add this one in the same manner)

At this point, the configuration to bring up the VPN tunnels and the OSPF neighbors is complete. Verify that a security rule is created allowing traffic to & from the vpn zone for the desired areas of the network at each location and Commit the changes. If all configuration was completed successfully there should be 4 tunnels at each remote site showing green and 8 tunnels at the main site showing just the same. Remote Site 1 Remote Site 2 Main Site Switch over to Virtual Routers and select More Runtime Stats for the virtual router that has all of the tunnel interfaces associated with it. On the OSPF tab, select the Neighbor tab; in each of the remote sites there should be 4 neighbors and at the main site there should be 8.

If all is correct so far, then moving to the Routing tab there should be routes for all of the local subnets specified in the redistribution profiles at each of the sites with the flags A O1 indicating that they are Active routes, they were learned via OSPF and they are Ext- 1 routes. Failover times in this configuration will be approximately 10-15 seconds, to decrease this follow the below tuning methods.

Adjust the Monitor profile this will determine how long a tunnel interface is kept alive when it s monitored address is no longer accessible. (Network- >Monitor) Depending on the stability of the connections at each location this can be lowered from the default of 3 second intervals with a threshold of 5. In the lab this is configured at 2 second intervals with a threshold of 2. At the very least, this should be switched from the Action of wait- recover to fail- over. This will create faster failovers during outages. Adjust the OSPF timers this will determine reconvergence times when an interface drops. (Network- >Virtual Routers- ><virtual router with the OSPF config>- >OSPF Edit area 0.0.0.0) For each of the tunnel interfaces the Timing can be adjusted, primarily focusing on the Hello Interval and Dead Counts timers. The timers between each neighbor connection need to match, if they do not the neighbor will not come up, or it may come up but will cause route flapping. Again, the ability to tune these will depend on the stability of the connection at the particular location but in the lab these are currently set at 5 and 3 respectively with failover times at 3-4 seconds. Adjusting either of these two mechanisms too aggressively will cause flapping interfaces and routes and will lead to a very unstable environment; when tuning, it is best to be not aggressive enough than too aggressive.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information